Trouble enabling mail_crypt in dovecot / SASL authentication failed

dovecot --version 2.3.4.1 (f79e8e7e4)

Ok, I tried to enable mail-crypt but it's being weird. I'm using https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key.

I ran:

cd $HOME
openssl ecparam -name prime256v1 -genkey | openssl pkey -out ecprivkey.pem
openssl pkey -in ecprivkey.pem -pubout -out ecpubkey.pem

I edited the dovecot config to:

. . .
mail_max_userip_connections = 120
. . .
mail_plugins = $mail_plugins mail_crypt
plugin {
  mail_crypt_global_private_key = </home/ec2-user/ecprivkey.pem
  mail_crypt_global_public_key = </home/ec2-user/ecpubkey.pem
  mail_crypt_save_version = 2
}
. . .

I see in the logs now:

deliver       | Apr 15 02:43:29 ip-172-31-0-35 postfix/submission/smtpd[19059]: warning: inet-MY IP-1.bos.netblazr.com[MY IP]: SASL PLAIN authentication failed: generic failure
deliver       | Apr 15 02:43:29 ip-172-31-0-35 postfix/submission/smtpd[19059]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
deliver       | Apr 15 02:43:29 ip-172-31-0-35 postfix/submission/smtpd[19059]: warning: inet.MY IP.bos.netblazr.com[MY IP]: SASL LOGIN authentication failed: generic failure
. . .
deliver       | Apr 15 02:44:08 ip-172-31-0-35 postfix/smtpd[22684]: NOQUEUE: reject: RCPT from mail-qk1-f176.google.com[209.85.222.176]: 451 4.3.5 <MY EEMAIL>: Recipient address rejected: Server configuration problem; from=<[email protected]> to=<MY EMAIL> proto=ESMTP helo=<mail-qk1-f176.google.com>
deliver       | Apr 15 02:44:08 ip-172-31-0-35 postfix/smtpd[22684]: disconnect from mail-qk1-f176.google.com[209.85.222.176] ehlo=2 starttls=1 mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=5/7

I wonder why SASL is now enabled for postfix to work/authenticate (when it's not if I turn off mail_crypt).

I'm guessing Server configuration problem is the problem here...

Any suggestions where I should look?


Got it -- Totally misunderstood where to put mail_crypt. Here is what I did:

services:
  mailserver:
    image: docker.io/mailserver/docker-mailserver:latest
    hostname: ${HOSTNAME}
    domainname: ${DOMAINNAME}
    container_name: ${CONTAINER_NAME}
    env_file: mailserver.env
    ports:
      - "25:25"
      - "143:143"
      - "587:587"
      - "993:993"
    volumes:
      - ./maildata:/var/mail
      - ./mailstate:/var/mail-state
      - ./maillogs:/var/log/mail
      - ./config/:/tmp/docker-mailserver/${SELINUX_LABEL}
      - ./config/dovecot:/etc/dovecot/conf.d
      - ./certs/:/certs
      - /etc/letsencrypt:/etc/letsencrypt
    restart: always
    cap_add: [ "NET_ADMIN", "SYS_PTRACE" ]

I then edited the volumed ./config/dovecot/20-lmtp.conf instead of the main dovecot config and added:

protocol lmtp {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins sieve mail_crypt
  plugin {
    mail_crypt_global_private_key = </certs/ecprivkey.pem
    mail_crypt_global_public_key = </certs/ecpubkey.pem
    mail_crypt_save_version = 2
  }
}

Then also edited the 20-imap.conf:

protocol imap {
    # allow IMAP clients to ask quota usage
    mail_plugins = $mail_plugins imap_quota mail_crypt
  plugin {
    mail_crypt_global_private_key = </certs/ecprivkey.pem
    mail_crypt_global_public_key = </certs/ecpubkey.pem
    mail_crypt_save_version = 2
  }
}

Works great now :)