Question:

Unable to login to email server that I can telnet to?

Owen: 02 February 2022

I just finished following this tutorial (https://www.digitalocean.com/community/tutorials/how-to-configure-a-mail-server-using-postfix-dovecot-mysql-and-spamassassin) on Digital Ocean for configuring a Dovecot, MySQL, and Postfix email server. I did not follow it to the end. (I didn't install Spam Assassin.) I also used a self-generated SSL temporarily. Other than that, I followed the tutorial to the letter. At every point where I was told to do a test command, I did so and the results were what the author said they should be.

The problem is that using an email client (like Thunderbird) I cannot login to the server. However, using Telnet I can connect to SMTP on ports 587 and 25. I can also connect to IMAP on port 993. (25, 587, and 993 are the ONLY ports I have forwarded from my external IP.)

I have checked the data in the MySQL DB. My user exists with my desired password.

How can I troubleshoot the issue here? Is there a way to test login credentials using telnet?

EDIT

Authentication is the issue. I've initiated the connection with openssl s_client -connect mail.example.com:587 -starttls smtp (Thanks 84104). My exchange then looks like this...

ehlo example.com
250-hostname.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6
MyBase64EncodedUsername
334 UGFzc3dvcmQ6
MyBase64EncodedPassword
535 5.7.8 Error: authentication failed: Connection lost to authentication server

Is there a debugging route I can take to find the problem? Is this simply authentication or a connection issue?

Answer:
Xavier: 02 February 2022

smtpd_tls_auth_only = yes means that telnet isn't going to be a viable option for credential testing. You really don't want to do the TLS negotiation by hand.

Instead use something like openssl s_client (https://linux.die.net/man/1/s_client), e.g. openssl s_client -connect mail.example.com:587 -starttls smtp.

Once connected you can then issue the standard commands. The exchange should look similar too:

S> Blah...Blah...Blah...
S> ---
S> 250 DSN
C> ehlo <client hostname>
S> 250-<server hostname>
S> Blah...Blah...
S> 250-AUTH PLAIN LOGIN
S> Blah...Blah...
S> 250 DSN
C> auth plain <echo -ne '\0<username>\0password>' | base64>
S> 235 2.7.0 Authentication successful