If I am using dovecot for submission, should I reject all emails sent through postfix?

I have configured dovecot submission service on port 587, with the relay being the postfix server. They are on two different ip addresses/machines.

The only way I want email to be sent, is through port 587, meaning dovecot will handle it and relay it to postfix. I do not want people or anything connecting to port 25 to create new emails and send them to anybody. Everything has to go through dovecot, and therefore all mails are authenticated against a SASL/mysql database.

Does this mean in postfix, I should set:

smtpd_sender_restrictions = reject

Therefore any sender is immediately rejected without any processing at all, or would this prevent dovecot from also sending?

Ubuntu 16.04 + Postfix + Dovecot => Send ok, but not Receiving

I’m using Ubuntu 16.04, and installed iredadmin.

Postfix + Dovecot are running, but I cant receive e-mails, just send.

/var/log/mail.log (LOGS)

Mar 19 13:08:51 construlista postfix/smtpd[17128]: >>> CHECKING RECIPIENT MAPS <<< Mar 19 13:08:51 construlista postfix/smtpd[17128]: ctable_locate: leave existing entry key fernando@construlista.com.br Mar 19 13:08:51 construlista postfix/smtpd[17128]: maps_find: recipient_canonical_maps: fernando@construlista.com.br: not found Mar 19 13:08:51 construlista postfix/smtpd[17128]: maps_find: recipient_canonical_maps: fernando: not found Mar 19 13:08:51 construlista postfix/smtpd[17128]: maps_find: recipient_canonical_maps: @construlista.com.br: not found Mar 19 13:08:51 construlista postfix/smtpd[17128]: mail_addr_find: fernando@construlista.com.br -> (not found) Mar 19 13:08:51 construlista postfix/smtpd[17128]: maps_find: canonical_maps: fernando@construlista.com.br: not found Mar 19 13:08:51 construlista postfix/smtpd[17128]: maps_find: canonical_maps: fernando: not found Mar 19 13:08:51 construlista postfix/smtpd[17128]: maps_find: canonical_maps: @construlista.com.br: not found Mar 19 13:08:51 construlista postfix/smtpd[17128]: mail_addr_find: fernando@construlista.com.br -> (not found) Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr request = lookup Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr table = mysql:/etc/postfix/mysql/virtual_alias_maps.cf Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr flags = 524352 Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr key = fernando@construlista.com.br Mar 19 13:08:51 construlista postfix/smtpd[17128]: private/proxymap socket: wanted attribute: status Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute name: status Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute value: 0 Mar 19 13:08:51 construlista postfix/smtpd[17128]: private/proxymap socket: wanted attribute: value Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute name: value Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute value: fernando@construlista.com.br Mar 19 13:08:51 construlista postfix/smtpd[17128]: private/proxymap socket: wanted attribute: (list terminator) Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute name: (end) Mar 19 13:08:51 construlista postfix/smtpd[17128]: dict_proxy_lookup: table=mysql:/etc/postfix/mysql/virtual_alias_maps.cf flags=lock|utf8_request key=fernando@construlista.com.br -> status=0 result=fernando@construlista.com.br Mar 19 13:08:51 construlista postfix/smtpd[17128]: maps_find: virtual_alias_maps: proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf(0,lock|fold_fix|utf8_request): fernando@construlista.com.br = fernando@construlista.com.br Mar 19 13:08:51 construlista postfix/smtpd[17128]: mail_addr_find: fernando@construlista.com.br -> fernando@construlista.com.br Mar 19 13:08:51 construlista postfix/smtpd[17128]: before input_transp_cleanup: cleanup flags = enable_header_body_filter enable_automatic_bcc enable_address_mapping enable_milters Mar 19 13:08:51 construlista postfix/smtpd[17128]: after input_transp_cleanup: cleanup flags = enable_header_body_filter enable_automatic_bcc enable_address_mapping Mar 19 13:08:51 construlista postfix/smtpd[17128]: name_mask: sendmail Mar 19 13:08:51 construlista postfix/smtpd[17128]: name_mask: verify Mar 19 13:08:51 construlista postfix/smtpd[17128]: connect to subsystem public/cleanup Mar 19 13:08:51 construlista postfix/smtpd[17128]: public/cleanup socket: wanted attribute: queue_id Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute name: queue_id Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute value: F0D43E0611 Mar 19 13:08:51 construlista postfix/smtpd[17128]: public/cleanup socket: wanted attribute: (list terminator) Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute name: (end) Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr flags = 178 Mar 19 13:08:51 construlista postfix/smtpd[17128]: F0D43E0611: client=mail-ua1-f47.google.com[209.85.222.47] Mar 19 13:08:51 construlista postfix/smtpd[17128]: > mail-ua1-f47.google.com[209.85.222.47]: 250 2.1.5 Ok Mar 19 13:08:51 construlista postfix/smtpd[17128]: < mail-ua1-f47.google.com[209.85.222.47]: DATA Mar 19 13:08:51 construlista postfix/smtpd[17128]: >>> START Data command RESTRICTIONS <<< Mar 19 13:08:51 construlista postfix/smtpd[17128]: generic_checks: name=reject_unauth_pipelining Mar 19 13:08:51 construlista postfix/smtpd[17128]: reject_unauth_pipelining: DATA Mar 19 13:08:51 construlista postfix/smtpd[17128]: generic_checks: name=reject_unauth_pipelining status=0 Mar 19 13:08:51 construlista postfix/smtpd[17128]: >>> END Data command RESTRICTIONS <<< Mar 19 13:08:51 construlista postfix/smtpd[17128]: > mail-ua1-f47.google.com[209.85.222.47]: 354 End data with <CR><LF>.<CR><LF> Mar 19 13:08:51 construlista postfix/smtpd[17128]: >>> START End-of-data RESTRICTIONS <<< Mar 19 13:08:51 construlista postfix/smtpd[17128]: generic_checks: name=check_policy_service Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr request = smtpd_access_policy Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr protocol_state = END-OF-MESSAGE Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr protocol_name = ESMTP Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr client_address = 209.85.222.47 Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr client_name = mail-ua1-f47.google.com Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr client_port = 37563 Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr reverse_client_name = mail-ua1-f47.google.com Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr helo_name = mail-ua1-f47.google.com Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr sender = fernandoofj@gmail.com Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr recipient = fernando@construlista.com.br Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr recipient_count = 1 Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr queue_id = F0D43E0611 Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr instance = 42e8.5c90e9e2.e5ba4.0 Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr size = 3774 Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr etrn_domain = Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr stress = Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr sasl_method = Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr sasl_username = Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr sasl_sender = Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr ccert_subject = Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr ccert_issuer = Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr ccert_fingerprint = Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr ccert_pubkey_fingerprint = Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr encryption_protocol = TLSv1.2 Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr encryption_cipher = ECDHE-RSA-AES128-GCM-SHA256 Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr encryption_keysize = 128 Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr policy_context = Mar 19 13:08:51 construlista postfix/smtpd[17128]: 127.0.0.1:7777: wanted attribute: action Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute name: action Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute value: DUNNO Mar 19 13:08:51 construlista postfix/smtpd[17128]: 127.0.0.1:7777: wanted attribute: (list terminator) Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute name: (end) Mar 19 13:08:51 construlista postfix/smtpd[17128]: check_table_result: inet:127.0.0.1:7777 DUNNO policy query Mar 19 13:08:51 construlista postfix/smtpd[17128]: generic_checks: name=check_policy_service status=0 Mar 19 13:08:51 construlista postfix/smtpd[17128]: >>> END End-of-data RESTRICTIONS <<< Mar 19 13:08:51 construlista postfix/cleanup[17133]: F0D43E0611: message-id=<CAOMs5R6Vo5iWq53JkPG54Cc0diz=ctC1=OjW-CJ=aPE+QKVuwQ@mail.gmail.com> Mar 19 13:08:51 construlista postfix/smtpd[17128]: public/cleanup socket: wanted attribute: status Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute name: status Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute value: 0 Mar 19 13:08:51 construlista postfix/smtpd[17128]: public/cleanup socket: wanted attribute: reason Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute name: reason Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute value: (end) Mar 19 13:08:51 construlista postfix/smtpd[17128]: public/cleanup socket: wanted attribute: (list terminator) Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute name: (end) Mar 19 13:08:51 construlista postfix/smtpd[17128]: > mail-ua1-f47.google.com[209.85.222.47]: 250 2.0.0 Ok: queued as F0D43E0611 Mar 19 13:08:51 construlista postfix/qmgr[16807]: F0D43E0611: from=<fernandoofj@gmail.com>, size=3993, nrcpt=1 (queue active) Mar 19 13:08:51 construlista postfix/smtpd[17128]: < mail-ua1-f47.google.com[209.85.222.47]: QUIT Mar 19 13:08:51 construlista postfix/smtpd[17128]: > mail-ua1-f47.google.com[209.85.222.47]: 221 2.0.0 Bye Mar 19 13:08:51 construlista postfix/smtpd[17128]: match_hostname: smtpd_client_event_limit_exceptions: mail-ua1-f47.google.com ~? 127.0.0.1 Mar 19 13:08:51 construlista postfix/smtpd[17128]: match_hostaddr: smtpd_client_event_limit_exceptions: 209.85.222.47 ~? 127.0.0.1 Mar 19 13:08:51 construlista postfix/smtpd[17128]: match_list_match: mail-ua1-f47.google.com: no match Mar 19 13:08:51 construlista postfix/smtpd[17128]: match_list_match: 209.85.222.47: no match Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr request = disconnect Mar 19 13:08:51 construlista postfix/smtpd[17128]: send attr ident = smtp:209.85.222.47 Mar 19 13:08:51 construlista postfix/smtpd[17128]: private/anvil: wanted attribute: status Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute name: status Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute value: 0 Mar 19 13:08:51 construlista postfix/smtpd[17128]: private/anvil: wanted attribute: (list terminator) Mar 19 13:08:51 construlista postfix/smtpd[17128]: input attribute name: (end) Mar 19 13:08:51 construlista postfix/smtpd[17128]: disconnect from mail-ua1-f47.google.com[209.85.222.47] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Mar 19 13:08:51 construlista postfix/smtpd[17128]: master_notify: status 1 Mar 19 13:08:51 construlista postfix/smtpd[17128]: connection closed Mar 19 13:08:51 construlista postfix/10025/smtpd[17312]: connect from localhost.localdomain[127.0.0.1] Mar 19 13:08:51 construlista postfix/10025/smtpd[17312]: D0C27E0612: client=localhost.localdomain[127.0.0.1] Mar 19 13:08:51 construlista postfix/cleanup[17133]: D0C27E0612: message-id=<CAOMs5R6Vo5iWq53JkPG54Cc0diz=ctC1=OjW-CJ=aPE+QKVuwQ@mail.gmail.com> Mar 19 13:08:51 construlista postfix/10025/smtpd[17312]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Mar 19 13:08:51 construlista postfix/qmgr[16807]: D0C27E0612: from=<fernandoofj@gmail.com>, size=4607, nrcpt=1 (queue active) Mar 19 13:08:51 construlista amavis[777]: (00777-02) Passed CLEAN {RelayedInbound}, [209.85.222.47]:37563 [209.85.222.47] <fernandoofj@gmail.com> -> <fernando@construlista.com.br>, Queue-ID: F0D43E0611, Message-ID: <CAOMs5R6Vo5iWq53JkPG54Cc0diz=ctC1=OjW-CJ=aPE+QKVuwQ@mail.gmail.com>, mail_id: cEVMAl9_ElRd, Hits: 0.86, size: 3993, queued_as: D0C27E0612, dkim_sd=20161025:gmail.com, 805 ms, Tests: [DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,FREEMAIL_FROM=0.001,HTML_IMAGE_ONLY_16=1.048,HTML_MESSAGE=0.001,SPF_PASS=-0.001,T_REMOTE_IMAGE=0.01,URIBL_BLOCKED=0.001] Mar 19 13:08:51 construlista postfix/amavis/smtp[17139]: F0D43E0611: to=<fernando@construlista.com.br>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.97, delays=0.15/0/0.01/0.81, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as D0C27E0612) Mar 19 13:08:51 construlista postfix/qmgr[16807]: F0D43E0611: removed Mar 19 13:08:51 construlista postfix/pipe[17313]: D0C27E0612: to=<fernando@construlista.com.br>, relay=dovecot, delay=0.13, delays=0.02/0.03/0/0.08, dsn=4.3.0, status=deferred (temporary failure) Mar 19 13:08:55 construlista postfix/smtpd[17128]: auto_clnt_close: disconnect private/tlsmgr stream Mar 19 13:08:55 construlista postfix/smtpd[17128]: rewrite stream disconnect Mar 19 13:08:55 construlista postfix/smtpd[17128]: proxymap stream disconnect Mar 19 13:10:20 construlista postfix/qmgr[16807]: 5461DE060E: from=<fernandoofj@gmail.com>, size=5401, nrcpt=1 (queue active) Mar 19 13:10:20 construlista postfix/qmgr[16807]: 6C0AFE060D: from=<fernandoofj@gmail.com>, size=4579, nrcpt=1 (queue active) Mar 19 13:10:20 construlista postfix/pipe[17313]: 5461DE060E: to=<fernando@construlista.com.br>, relay=dovecot, delay=468, delays=468/0.04/0/0.17, dsn=4.3.0, status=deferred (temporary failure) Mar 19 13:10:20 construlista postfix/pipe[17639]: 6C0AFE060D: to=<fernando@construlista.com.br>, relay=dovecot, delay=506, delays=506/0.03/0/0.19, dsn=4.3.0, status=deferred (temporary failure) 

Postfix main.cf

# -------------------- # INSTALL-TIME CONFIGURATION INFORMATION # # location of the Postfix queue. Default is /var/spool/postfix. queue_directory = /var/spool/postfix  # location of all postXXX commands. Default is /usr/sbin. command_directory = /usr/sbin  # location of all Postfix daemon programs (i.e. programs listed in the # master.cf file). This directory must be owned by root. # Default is /usr/libexec/postfix daemon_directory = /usr/lib/postfix/sbin  # location of Postfix-writable data files (caches, random numbers). # This directory must be owned by the mail_owner account (see below). # Default is /var/lib/postfix. data_directory = /var/lib/postfix  # owner of the Postfix queue and of most Postfix daemon processes. # Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID # WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. # In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER. # Default is postfix. mail_owner = postfix  # The following parameters are used when installing a new Postfix version. # # sendmail_path: The full pathname of the Postfix sendmail command. # This is the Sendmail-compatible mail posting interface. # sendmail_path = /usr/sbin/sendmail  # newaliases_path: The full pathname of the Postfix newaliases command. # This is the Sendmail-compatible command to build alias databases. # newaliases_path = /usr/bin/newaliases  # full pathname of the Postfix mailq command.  This is the Sendmail-compatible # mail queue listing command. mailq_path = /usr/bin/mailq  # group for mail submission and queue management commands. # This must be a group name with a numerical group ID that is not shared with # other accounts, not even with the Postfix account. setgid_group = postdrop  # external command that is executed when a Postfix daemon program is run with # the -D option. # # Use "command .. & sleep 5" so that the debugger can attach before # the process marches on. If you use an X-based debugger, be sure to # set up your XAUTHORITY environment variable before starting Postfix. # debugger_command =     PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin     ddd $  daemon_directory/$  process_name $  process_id & sleep 5  debug_peer_level = 2  # -------------------- # CUSTOM SETTINGS #  # SMTP server response code when recipient or domain not found. unknown_local_recipient_reject_code = 550  # Do not notify local user. biff = no  # Disable the rewriting of "site!user" into "user@site". swap_bangpath = no  # Disable the rewriting of the form "user%domain" to "user@domain". allow_percent_hack = no  # Allow recipient address start with '-'. allow_min_user = no  # Disable the SMTP VRFY command. This stops some techniques used to # harvest email addresses. disable_vrfy_command = yes  # Enable both IPv4 and/or IPv6: ipv4, ipv6, all. inet_protocols = all  # Enable all network interfaces. inet_interfaces = all  # # TLS settings. # # SSL key, certificate, CA # smtpd_tls_key_file = /etc/ssl/private/iRedMail.key smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt  # # Disable SSLv2, SSLv3 # smtpd_tls_protocols = !SSLv2 !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 smtp_tls_protocols = !SSLv2 !SSLv3 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 lmtp_tls_protocols = !SSLv2 !SSLv3 lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3  # # Fix 'The Logjam Attack'. # smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem  tls_random_source = dev:/dev/urandom  # Log only a summary message on TLS handshake completion — no logging of client # certificate trust-chain verification errors if client certificate # verification is not required. With Postfix 2.8 and earlier, log the summary # message, peer certificate summary information and unconditionally log # trust-chain verification errors. smtp_tls_loglevel = 1 smtpd_tls_loglevel = 1  # Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do # not require that clients use TLS encryption. smtpd_tls_security_level = may  # Produce `Received:` message headers that include information about the # protocol and cipher used, as well as the remote SMTP client CommonName and # client certificate issuer CommonName. # This is disabled by default, as the information may be modified in transit # through other mail servers. Only information that was recorded by the final # destination can be trusted. #smtpd_tls_received_header = yes  # Opportunistic TLS, used when Postfix sends email to remote SMTP server. # Use TLS if this is supported by the remote SMTP server, otherwise use # plaintext. # References: #   - http://www.postfix.org/TLS_README.html#client_tls_may #   - http://www.postfix.org/postconf.5.html#smtp_tls_security_level smtp_tls_security_level = may  # Use the same CA file as smtpd. smtp_tls_CAfile = $  smtpd_tls_CAfile smtp_tls_note_starttls_offer = yes  # Enable long, non-repeating, queue IDs (queue file names). # The benefit of non-repeating names is simpler logfile analysis and easier # queue migration (there is no need to run "postsuper" to change queue file # names that don't match their message file inode number). #enable_long_queue_ids = yes  # Reject unlisted sender and recipient smtpd_reject_unlisted_recipient = yes smtpd_reject_unlisted_sender = yes  # Header and body checks with PCRE table header_checks = pcre:/etc/postfix/header_checks body_checks = pcre:/etc/postfix/body_checks.pcre  # A mechanism to transform commands from remote SMTP clients. # This is a last-resort tool to work around client commands that break # interoperability with the Postfix SMTP server. Other uses involve fault # injection to test Postfix's handling of invalid commands. # Requires Postfix-2.7+. #smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre  # HELO restriction smtpd_helo_required = yes smtpd_helo_restrictions =     permit_mynetworks     permit_sasl_authenticated     check_helo_access pcre:/etc/postfix/helo_access.pcre     reject_non_fqdn_helo_hostname     reject_unknown_helo_hostname  # Sender restrictions smtpd_sender_restrictions = #    reject_unknown_sender_domain     reject_non_fqdn_sender #    reject_unlisted_sender     permit_mynetworks     permit_sasl_authenticated     check_sender_access pcre:/etc/postfix/sender_access.pcre  # Recipient restrictions #smtpd_recipient_restrictions = #    reject_unknown_recipient_domain #    reject_non_fqdn_recipient #    reject_unlisted_recipient #    check_policy_service inet:127.0.0.1:7777 #    permit_mynetworks #    permit_sasl_authenticated #    reject_unauth_destination  smtpd_relay_restrictions = permit_mynetworks,          permit_sasl_authenticated,         reject_unauth_destination  # END-OF-MESSAGE restrictions smtpd_end_of_data_restrictions =     check_policy_service inet:127.0.0.1:7777  # Data restrictions smtpd_data_restrictions = reject_unauth_pipelining  proxy_read_maps = $  canonical_maps $  lmtp_generic_maps $  local_recipient_maps $  mydestination $  mynetworks $  recipient_bcc_maps $  recipient_canonical_maps $  relay_domains $  relay_recipient_maps $  relocated_maps $  sender_bcc_maps $  sender_canonical_maps $  smtp_generic_maps $  smtpd_sender_login_maps $  transport_maps $  virtual_alias_domains $  virtual_alias_maps $  virtual_mailbox_domains $  virtual_mailbox_maps $  smtpd_sender_restrictions $  sender_dependent_relayhost_maps  # Avoid duplicate recipient messages. Default is 'yes'. enable_original_recipient = no  # Virtual support. virtual_minimum_uid = 2000 virtual_uid_maps = static:2000 virtual_gid_maps = static:2000 virtual_mailbox_base = /var/vmail  # Do not set virtual_alias_domains. virtual_alias_domains =  # # Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication. # WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should #          be forced to submit email through port 587 instead. # smtpd_sasl_auth_enable = yes #smtpd_sasl_security_options = noanonymous #smtpd_tls_auth_only = yes  # hostname myhostname = construlista.com.br myorigin = construlista.com.br mydomain = construlista.com.br  # trusted SMTP clients which are allowed to relay mail through Postfix. # # Note: additional IP addresses/networks listed in mynetworks should be listed #       in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too. #       for example: # #       MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...] # mynetworks = 127.0.0.1  # Accepted local emails #mydestination = $  myhostname, localhost, localhost.localdomain, construlista.com.br, construlista.net.br, infinityenge.com, infinityenge.com.br #mydestination = localhost.$  mydomain, localhost, localhost.localdomain #working#mydestination = localhost.$  mydomain, localhost, $  mydomain mydestination = localhost, localhost.localdomain  alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases  # Default message_size_limit. message_size_limit = 15728640  # The set of characters that can separate a user name from its extension # (example: user+foo), or a .forward file name from its extension (example: # .forward+foo). # Postfix 2.11 and later supports multiple characters. recipient_delimiter = +  # The time after which the sender receives a copy of the message headers of # mail that is still queued. Default setting is disabled (0h) by Postfix. #delay_warning_time = 1h compatibility_level = 2 # # Lookup virtual mail accounts # transport_maps =     proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf     proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf  sender_dependent_relayhost_maps =     proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf  # Lookup table with the SASL login names that own the sender (MAIL FROM) addresses. smtpd_sender_login_maps =     proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf  virtual_mailbox_domains =     proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf  relay_domains =     $  mydestination     proxy:mysql:/etc/postfix/mysql/relay_domains.cf  virtual_mailbox_maps =     proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf  virtual_alias_maps =     proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf     proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf     proxy:mysql:/etc/postfix/mysql/catchall_maps.cf     proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf  sender_bcc_maps =     proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf     proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf  recipient_bcc_maps =     proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf     proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf  # # Postscreen # postscreen_greet_action = enforce postscreen_blacklist_action = enforce postscreen_dnsbl_action = enforce postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites =     zen.spamhaus.org=127.0.0.[2..11]*3     b.barracudacentral.org=127.0.0.[2..11]*2  postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr  # Require Postfix-2.11+ postscreen_dnsbl_whitelist_threshold = -2 # # Dovecot SASL support. # smtpd_sasl_type = dovecot smtpd_sasl_path = private/dovecot-auth virtual_transport = dovecot dovecot_destination_recipient_limit = 1  # # Amavisd + SpamAssassin + ClamAV # content_filter = smtp-amavis:[127.0.0.1]:10024  # Concurrency per recipient limit. smtp-amavis_destination_recipient_limit = 1 

What is right way to get mails from Gmail to Dovecot with doveadm-backup?

Dovecot doc is far from being perfect, thus I’m little bit confused what is right way to get mails from Gmail to local Dovecot.

See: https://wiki.dovecot.org/Migration/Gmail

After some struggle I have working sync of one user but is there something which can be tuned for Gmail and its unusual labels/virtual folders?

Do I understand it right that each gmail user must be synced separately, ie. via a loop as there’s no way to write multiple passwords users file (doveadm backup -F $ file).

IIUC the remote user must be configured in local Dovecot.

I currently have:

# egrep -v '^(#|[ \t]*$  )' /etc/dovecot/conf.d/99-migration.conf                                                                                                                                                                            imapc_host = imap.gmail.com imapc_features = rfc822.size imapc_features = $  imapc_features fetch-headers mail_prefetch_count = 20 imapc_port = 993 imapc_ssl = imaps imapc_ssl_verify = yes imapc_features = gmail-migration  # sed -n '/^namespace inbox/,/^}/p' /etc/dovecot/conf.d/10-mail.conf | \ egrep -v '^([ \t]*#|[ \t]*$  )' namespace inbox {       separator = /       inbox = yes } 

Doing sync:

# doveadm -v -o imapc_user=gmailuser@example.com -o \ imapc_password='gmailuser_password' backup -O '-$  GmailHaveLabels' \ -R -x '\Flagged' -x '\Important' -u gmailuser@example.com imapc: 

And after sync, I got this:

# ls -lF /mail/example.com/data/gmailuser/Maildir/ total 112 drwx------  5 localuser  localgroup    512 Jan 13 22:45 .[Gmail].All Mail/ drwx------  5 localuser  localgroup    512 Jan 13 22:46 .[Gmail].Drafts/ drwx------  5 localuser  localgroup    512 Jan 13 22:46 .[Gmail].Sent Mail/ drwx------  5 localuser  localgroup    512 Jan 13 22:46 .[Gmail].Spam/ drwx------  5 localuser  localgroup    512 Jan 13 22:46 .[Gmail].Trash/ drwx------  2 localuser  localgroup   3072 Jan 13 22:44 cur/ -rw-------  1 localuser  localgroup      6 Jan 13 22:30 dovecot-keywords -rw-------  1 localuser  localgroup   3684 Jan 13 22:43 dovecot-uidlist -rw-------  1 localuser  localgroup      8 Jan 13 22:43 dovecot-uidvalidity -r--r--r--  1 localuser  localgroup      0 Jan 13 22:30 dovecot-uidvalidity.5c3c0276 -rw-------  1 localuser  localgroup  21808 Jan 13 22:44 dovecot.index.cache -rw-------  1 localuser  localgroup   3148 Jan 13 22:44 dovecot.index.log -rw-------  1 localuser  localgroup    240 Jan 13 22:43 dovecot.mailbox.log -rw-------  1 localuser  localgroup      0 Jan 13 22:30 maildirfolder drwx------  2 localuser  localgroup    512 Jan 13 22:43 new/ -rw-------  1 localuser  localgroup    117 Jan 13 22:30 subscriptions drwx------  2 localuser  localgroup    512 Jan 13 22:43 tmp/ 

IMAP Proxy to allow an internal server to access emails via imap.gmail.com with dovecot

I need to find a way to set up dovecot as a mail proxy server which is internet facing to allow the internal server to access emails from gmail

not really good with dovecot so would be appreciate it if someone tell me how to configure as well thanks so:

Imap.gmail.com => dovecot proxy => internal server (accessing email)

thanks in advance

Why does dovecot cur folder remain very large after emptying it?

My CentOS system, used for PHPList, accumulates incoming mail in this path: /var/qmail/mailnames/example.com/noreply/Maildir/cur

There used to be hundreds of thousands of emails in this mailbox, they were bounce emails meant for bounce processing by PHPList, but PHPList was choking on them. So I used cleanup-maildir script to mass-remove emails. Now I see that the cur directory is empty, (ls -l weirdly takes about 10 seconds to return with “total 0”) and yet it shows a large size. My Plesk panel also shows that the mail account is still occupying many GB. What do I need to do?

[root@server-1012263-1 cur]# pwd /var/qmail/mailnames/example.com/noreply/Maildir/cur [root@server-1012263-1 cur]# ls -l total 0 [root@server-1012263-1 cur]# cd .. [root@server-1012263-1 Maildir]# ls -l total 76460 -rwxr-xr-x 1 popuser popuser    18968 Jun  3  2016 cleanup-maildir drwx------ 2 popuser popuser     4096 Jul 18  2017 courierimapkeywords -rw-r--r-- 1 popuser popuser       30 Jul 14  2015 courierimapsubscribed -rw-r--r-- 1 popuser popuser  2216005 Mar  9  2016 courierimapuiddb -rw-r--r-- 1 popuser popuser   666592 Jun  5  2016 courierpop3dsizelist drwx------ 2 popuser popuser 74199040 Jan  7 11:55 cur -rw------- 1 popuser popuser      672 Jan  7 09:42 dovecot.index -rw------- 1 popuser popuser   203808 Jan  7 11:55 dovecot.index.cache -rw------- 1 popuser popuser     3480 Jan  7 11:55 dovecot.index.log -rw------- 1 popuser popuser    32828 Jan  7 09:42 dovecot.index.log.2 -rw------- 1 popuser popuser      720 Apr 23  2018 dovecot.list.index.log -rw------- 1 popuser popuser      254 Jan  7 11:55 dovecot-uidlist -rw------- 1 popuser popuser        8 Apr 23  2018 dovecot-uidvalidity -r--r--r-- 1 popuser popuser        0 Jun  6  2016 dovecot-uidvalidity.57547a5e -rw------- 1 popuser popuser     3717 Jan  7 11:55 maildirsize drwx------ 2 popuser popuser   839680 Jan  7 11:55 new -rw-r--r-- 1 popuser popuser       18 Jun  5  2016 subscriptions drwx------ 2 popuser popuser     4096 Jan  7 11:45 tmp [root@server-1012263-1 Maildir]# 

Screenshot of my Plesk panel showing 15GB: https://i.imgur.com/oCToAWB.png

dovecot with LDAP can’t find userPassword

I’m new to LDAP and I’m trying to use it with Dovecot for authentication. When I test out my setup with Telnet and IMAP, it reports ‘userPassword not found’. However a simple search using the same criteria brings up the userPassword correctly. Here’s my database setup (olcDatabase={1}mdb.ldif)

    # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 d372c2c5 dn: olcDatabase={1}mdb objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non e olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcRootDN: cn=diradmin,dc=example,dc=com olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbMaxSize: 1073741824 structuralObjectClass: olcMdbConfig entryUUID: fed6b8a2-97ef-1038-8643-a149e041a590 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20181219153919Z olcRootPW:: cnZ3MTIz entryCSN: 20181220125956.316222Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20181220125956Z 

This is the database (ldapsearch output)

    # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #  # example.com dn: dc=example,dc=com dc: example o: Example Company objectClass: top objectClass: dcObject objectClass: organization  # diradmin, example.com dn: cn=diradmin,dc=example,dc=com objectClass: organizationalRole objectClass: top cn: diradmin  # Domains, example.com dn: ou=Domains,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Domains  # Users, example.com dn: ou=Users,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Users  # Services, example.com dn: ou=Services,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Services  # rvw.xxxxxx.org, Domains, example.com dn: dc=rvw.xxxxxx.org,ou=Domains,dc=example,dc=com dc: rvw.xxxxxx.org objectClass: dNSDomain objectClass: top o: postfixUser userPassword:: e0NSWVBUfXdRd0VQdGh3dEtUYTY=  # Richard Williams, Users, example.com dn: cn=Richard Williams,ou=Users,dc=example,dc=com cn: Richard Williams mailacceptinggeneralid: rvw.xxxxxx.org maildrop: richardwilliams@rvw.xxxxxx.org mailEnabled: TRUE mailGidNumber: 5000 mailUidNumber: 5000 objectClass: extensibleObject objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: PostfixBookMailAccount objectClass: postfixUser objectClass: top sn: Williams uid: richardwiliams userPassword:: e01ENX10YTc1cE80QjNwOWtJRFFuVUsxeUpRPT0= mail: richardwilliams@rvw.xxxxxx.org mailAlias: richard@rvw.xxxxxx.org mailAlias: postmaster@rvw.xxxxxx.org mailAlias: abuse@rvw.xxxxxx.org mailHomeDirectory: /home/vmail mailStorageDirectory: maildir:/home/vmail/richardwilliams@rvw.xxxxxx.org/Maild  ir uniqueIdentifier: richardwilliams@rvw.xxxxxx.org  # phamm, example.com dn: cn=phamm,dc=example,dc=com cn: phamm objectClass: organizationalRole objectClass: simpleSecurityObject objectClass: top userPassword:: e01ENX10YTc1cE80QjNwOWtJRFFuVUsxeUpRPT0=  # dovecot, Services, example.com dn: uid=dovecot,ou=Services,dc=example,dc=com objectClass: account objectClass: simpleSecurityObject objectClass: top userPassword:: e01ENX10YTc1cE80QjNwOWtJRFFuVUsxeUpRPT0= uid: dovecot  # search result search: 2 result: 0 Success  # numResponses: 10 # numEntries: 9 

The log shows

    Jan  5 16:01:58 broadband dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so Jan  5 16:01:58 broadband dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Jan  5 16:01:58 broadband dovecot: auth: Debug: auth client connected (pid=1232) Jan  5 16:02:24 broadband dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=j1UfH7h+8tgAAAAAAAAAAAAAAAAAAAAB#011lip=::1#011rip=::1#011lport=143#011rport=55538#011resp=<hidden> Jan  5 16:02:24 broadband dovecot: auth: Debug: ldap(richardwilliams@rvw.xxxxxx.org,::1,<j1UfH7h+8tgAAAAAAAAAAAAAAAAAAAAB>): pass search: base=ou=Users,dc=example,dc=com scope=subtree filter=(&(objectClass=inetOrgPerson)(mail=richardwilliams@rvw.xxxxxx.org)) fields=mail,userPassword Jan  5 16:02:24 broadband dovecot: auth: Debug: ldap(richardwilliams@rvw.xxxxxx.org,::1,<j1UfH7h+8tgAAAAAAAAAAAAAAAAAAAAB>): result: mail=richardwilliams@rvw.xxxxxx.org; mail unused Jan  5 16:02:24 broadband dovecot: auth: Debug: ldap(richardwilliams@rvw.xxxxxx.org,::1,<j1UfH7h+8tgAAAAAAAAAAAAAAAAAAAAB>): result: mail=richardwilliams@rvw.xxxxxx.org; userPassword missing Jan  5 16:02:24 broadband dovecot: auth: ldap(richardwilliams@rvw.xxxxxx.org,::1,<j1UfH7h+8tgAAAAAAAAAAAAAAAAAAAAB>): No password returned (and no nopassword) Jan  5 16:02:26 broadband dovecot: auth: Debug: client passdb out: FAIL#0111#011user=richardwilliams@rvw.xxxxxx.org Jan  5 16:02:31 broadband dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richardwilliams@rvw.xxxxxx.org>, method=PLAIN, rip=::1, lip=::1, secured, session=<j1UfH7h+8tgAAAAAAAAAAAAAAAAAAAAB> 

Here’s the dovecot-ldap.conf.ext file

    # This file is commonly accessed via passdb {} or userdb {} section in # conf.d/auth-ldap.conf.ext  # This file is opened as root, so it should be owned by root and mode 0600. # # http://wiki2.dovecot.org/AuthDatabase/LDAP # # NOTE: If you're not using authentication binds, you'll need to give # dovecot-auth read access to userPassword field in the LDAP server. # With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should # already be something like this:  # access to attribute=userPassword #        by dn="<dovecot's dn>" read # add this #        by anonymous auth #        by self write #        by * none  # Space separated list of LDAP hosts to use. host:port is allowed too. hosts = 127.0.0.1  # LDAP URIs to use. You can use this instead of hosts list. Note that this # setting isn't supported by all LDAP libraries. #uris =   # Distinguished Name - the username used to login to the LDAP server. # Leave it commented out to bind anonymously (useful with auth_bind=yes). #dn =   # Password for LDAP server, if dn is specified. #dnpass =   # Use SASL binding instead of the simple binding. Note that this changes # ldap_version automatically to be 3 if it's lower. #sasl_bind = no # SASL mechanism name to use. #sasl_mech = # SASL realm to use. #sasl_realm = # SASL authorization ID, ie. the dnpass is for this "master user", but the # dn is still the logged in user. Normally you want to keep this empty. #sasl_authz_id =  # Use TLS to connect to the LDAP server. #tls = no # TLS options, currently supported only with OpenLDAP: #tls_ca_cert_file = #tls_ca_cert_dir = #tls_cipher_suite = # TLS cert/key is used only if LDAP server requires a client certificate. #tls_cert_file = #tls_key_file = # Valid values: never, hard, demand, allow, try #tls_require_cert =  # Use the given ldaprc path. #ldaprc_path =  # LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h. # -1 = everything. You may need to recompile OpenLDAP with debugging enabled # to get enough output. debug_level = 0   # Use authentication binding for verifying password's validity. This works by # logging into LDAP server using the username and password given by client. # The pass_filter is used to find the DN for the user. Note that the pass_attrs # is still used, only the password field is ignored in it. Before doing any # search, the binding is switched back to the default DN. auth_bind = no   # If authentication binding is used, you can save one LDAP request per login # if users' DN can be specified with a common template. The template can use # the standard %variables (see user_filter). Note that you can't # use any pass_attrs if you use this setting. # # If you use this setting, it's a good idea to use a different # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as # the filename is different in userdb's args). That way one connection is used # only for LDAP binds and another connection is used for user lookups. # Otherwise the binding is changed to the default DN before each user lookup. # # For example: #   auth_bind_userdn = cn=%u,ou=people,o=org # #auth_bind_userdn =  # LDAP protocol version to use. Likely 2 or 3. ldap_version = 3  # LDAP base. %variables can be used here. # For example: dc=mail, dc=example, dc=org base = ou=Users,dc=example,dc=com  # Dereference: never, searching, finding, always deref = never  # Search scope: base, onelevel, subtree scope = subtree  # User attributes are given in LDAP-name=dovecot-internal-name list. The # internal names are: #   uid - System UID #   gid - System GID #   home - Home directory #   mail - Mail location # # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/UserDatabase/ExtraFields user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid  # Filter for user lookup. Some variables can be used (see # http://wiki2.dovecot.org/Variables for full list): #   %u - username #   %n - user part in user@domain, same as %u if there's no domain #   %d - domain part in user@domain, empty if user there's no domain user_filter = (&(objectClass=inetOrgPerson)(mail=%u))  # Password checking attributes: #  user: Virtual user name (user@domain), if you wish to change the #        user-given username to something else #  password: Password, may optionally start with {type}, eg. {crypt} # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields pass_attrs = mail=user,userPassword=password  # If you wish to avoid two LDAP lookups (passdb + userdb), you can use # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll # also have to include user_attrs in pass_attrs field prefixed with "userdb_" # string. For example: #pass_attrs = uid=user,userPassword=password,\ #  homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid  # Filter for password lookups pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))  # Attributes and filter to get a list of all users #iterate_attrs = uid=user #iterate_filter = (objectClass=posixAccount)  # Default password scheme. "{scheme}" before password overrides this. # List of supported schemes is in: http://wiki2.dovecot.org/Authentication default_pass_scheme = md5 

auth-ldap.conf.ext

    # This file is commonly accessed via passdb {} or userdb {} section in # conf.d/auth-ldap.conf.ext  # This file is opened as root, so it should be owned by root and mode 0600. # # http://wiki2.dovecot.org/AuthDatabase/LDAP # # NOTE: If you're not using authentication binds, you'll need to give # dovecot-auth read access to userPassword field in the LDAP server. # With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should # already be something like this:  # access to attribute=userPassword #        by dn="<dovecot's dn>" read # add this #        by anonymous auth #        by self write #        by * none  # Space separated list of LDAP hosts to use. host:port is allowed too. hosts = 127.0.0.1  # LDAP URIs to use. You can use this instead of hosts list. Note that this # setting isn't supported by all LDAP libraries. #uris =   # Distinguished Name - the username used to login to the LDAP server. # Leave it commented out to bind anonymously (useful with auth_bind=yes). #dn =   # Password for LDAP server, if dn is specified. #dnpass =   # Use SASL binding instead of the simple binding. Note that this changes # ldap_version automatically to be 3 if it's lower. #sasl_bind = no # SASL mechanism name to use. #sasl_mech = # SASL realm to use. #sasl_realm = # SASL authorization ID, ie. the dnpass is for this "master user", but the # dn is still the logged in user. Normally you want to keep this empty. #sasl_authz_id =  # Use TLS to connect to the LDAP server. #tls = no # TLS options, currently supported only with OpenLDAP: #tls_ca_cert_file = #tls_ca_cert_dir = #tls_cipher_suite = # TLS cert/key is used only if LDAP server requires a client certificate. #tls_cert_file = #tls_key_file = # Valid values: never, hard, demand, allow, try #tls_require_cert =  # Use the given ldaprc path. #ldaprc_path =  # LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h. # -1 = everything. You may need to recompile OpenLDAP with debugging enabled # to get enough output. debug_level = 0   # Use authentication binding for verifying password's validity. This works by # logging into LDAP server using the username and password given by client. # The pass_filter is used to find the DN for the user. Note that the pass_attrs # is still used, only the password field is ignored in it. Before doing any # search, the binding is switched back to the default DN. auth_bind = no   # If authentication binding is used, you can save one LDAP request per login # if users' DN can be specified with a common template. The template can use # the standard %variables (see user_filter). Note that you can't # use any pass_attrs if you use this setting. # # If you use this setting, it's a good idea to use a different # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as # the filename is different in userdb's args). That way one connection is used # only for LDAP binds and another connection is used for user lookups. # Otherwise the binding is changed to the default DN before each user lookup. # # For example: #   auth_bind_userdn = cn=%u,ou=people,o=org # #auth_bind_userdn =  # LDAP protocol version to use. Likely 2 or 3. ldap_version = 3  # LDAP base. %variables can be used here. # For example: dc=mail, dc=example, dc=org base = ou=Users,dc=example,dc=com  # Dereference: never, searching, finding, always deref = never  # Search scope: base, onelevel, subtree scope = subtree  # User attributes are given in LDAP-name=dovecot-internal-name list. The # internal names are: #   uid - System UID #   gid - System GID #   home - Home directory #   mail - Mail location # # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/UserDatabase/ExtraFields user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid  # Filter for user lookup. Some variables can be used (see # http://wiki2.dovecot.org/Variables for full list): #   %u - username #   %n - user part in user@domain, same as %u if there's no domain #   %d - domain part in user@domain, empty if user there's no domain user_filter = (&(objectClass=inetOrgPerson)(mail=%u))  # Password checking attributes: #  user: Virtual user name (user@domain), if you wish to change the #        user-given username to something else #  password: Password, may optionally start with {type}, eg. {crypt} # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields pass_attrs = mail=user,userPassword=password  # If you wish to avoid two LDAP lookups (passdb + userdb), you can use # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll # also have to include user_attrs in pass_attrs field prefixed with "userdb_" # string. For example: #pass_attrs = uid=user,userPassword=password,\ #  homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid  # Filter for password lookups pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))  # Attributes and filter to get a list of all users #iterate_attrs = uid=user #iterate_filter = (objectClass=posixAccount)  # Default password scheme. "{scheme}" before password overrides this. # List of supported schemes is in: http://wiki2.dovecot.org/Authentication default_pass_scheme = md5 

10-master.conf

    #default_process_limit = 100 #default_client_limit = 1000  # Default VSZ (virtual memory size) limit for service processes. This is mainly # intended to catch and kill processes that leak memory before they eat up # everything. #default_vsz_limit = 256M  # Login user is internally used by login processes. This is the most untrusted # user in Dovecot system. It shouldn't have access to anything at all. #default_login_user = dovenull  # Internal user is used by unprivileged processes. It should be separate from # login user, so that login processes can't disturb other processes. #default_internal_user = dovecot  service imap-login {   inet_listener imap {     #port = 143   }   inet_listener imaps {     #port = 993     #ssl = yes   }    # Number of connections to handle before starting a new process. Typically   # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0   # is faster. <doc/wiki/LoginProcess.txt>   #service_count = 1    # Number of processes to always keep waiting for more connections.   #process_min_avail = 0    # If you set service_count=0, you probably need to grow this.   #vsz_limit = $  default_vsz_limit }  service pop3-login {   inet_listener pop3 {     #port = 110   }   inet_listener pop3s {     #port = 995     #ssl = yes   } }  service lmtp {   unix_listener lmtp {     #mode = 0666   }    # Create inet listener only if you can't use the above UNIX socket   #inet_listener lmtp {     # Avoid making LMTP visible for the entire internet     #address =     #port =    #} }  service imap {   # Most of the memory goes to mmap()ing files. You may need to increase this   # limit if you have huge mailboxes.   #vsz_limit = $  default_vsz_limit    # Max. number of IMAP processes (connections)   #process_limit = 1024 }  service pop3 {   # Max. number of POP3 processes (connections)   #process_limit = 1024 }  service auth {   # auth_socket_path points to this userdb socket by default. It's typically   # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have   # full permissions to this socket are able to get a list of all usernames and   # get the results of everyone's userdb lookups.   #   # The default 0666 mode allows anyone to connect to the socket, but the   # userdb lookups will succeed only if the userdb returns an "uid" field that   # matches the caller process's UID. Also if caller's uid or gid matches the   # socket's uid or gid the lookup succeeds. Anything else causes a failure.   #   # To give the caller full permissions to lookup all users, set the mode to   # something else than 0666 and Dovecot lets the kernel enforce the   # permissions (e.g. 0777 allows everyone full permissions).   unix_listener auth-userdb {     mode = 0666     user = vmail     group = vmail   }    # Postfix smtp-auth   unix_listener /var/spool/postfix/private/auth {     mode = 0660     user = postfix     group = postfix   }    # Auth process is run as this user.   # user = $  default_internal_user }  service auth-worker {   # Auth worker process is run as root by default, so that it can access   # /etc/shadow. If this isn't necessary, the user should be changed to   # $  default_internal_user.   #user = root }  service dict {   # If dict proxy is used, mail processes should have access to its socket.   # For example: mode=0660, group=vmail and global mail_access_groups=vmail   unix_listener dict {     #mode = 0600     #user =      #group =    } } 

and 10-auth.conf

## ## Authentication processes ##  # Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. #disable_plaintext_auth = yes  # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. #auth_cache_size = 0 # Time to live for cached data. After TTL expires the cached record is no # longer used, *except* if the main database lookup returns internal failure. # We also try to handle password changes automatically: If user's previous # authentication was successful, but this one wasn't, the cache isn't used. # For now this works only with plaintext authentication. #auth_cache_ttl = 1 hour # TTL for negative hits (user not found, password mismatch). # 0 disables caching them completely. #auth_cache_negative_ttl = 1 hour  # Space separated list of realms for SASL authentication mechanisms that need # them. You can leave it empty if you don't want to support multiple realms. # Many clients simply use the first one listed here, so keep the default realm # first. #auth_realms =  # Default realm/domain to use if none was specified. This is used for both # SASL realms and appending @domain to username in plaintext logins. #auth_default_realm =   # List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just # an extra check to make sure user can't exploit any potential quote escaping # vulnerabilities with SQL/LDAP databases. If you want to allow all characters, # set this value to empty. #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@  # Username character translations before it's looked up from databases. The # value contains series of from -> to characters. For example "#@/@" means # that '#' and '/' characters are translated to '@'. #auth_username_translation =  # Username formatting before it's looked up from databases. You can use # the standard variables here, eg. %Lu would lowercase the username, %n would # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into # "-AT-". This translation is done after auth_username_translation changes. #auth_username_format = %Lu  # If you want to allow master users to log in by specifying the master # username within the normal username string (ie. not using SASL mechanism's # support for it), you can specify the separator character here. The format # is then <username><separator><master username>. UW-IMAP uses "*" as the # separator, so that could be a good choice. #auth_master_user_separator =  # Username to use for users logging in with ANONYMOUS SASL mechanism #auth_anonymous_username = anonymous  # Maximum number of dovecot-auth worker processes. They're used to execute # blocking passdb and userdb queries (eg. MySQL and PAM). They're # automatically created and destroyed as needed. #auth_worker_max_count = 30  # Host name to use in GSSAPI principal names. The default is to use the # name returned by gethostname(). Use "$  ALL" (with quotes) to allow all keytab # entries. #auth_gssapi_hostname =  # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. You may need to change # the auth service to run as root to be able to read this file. #auth_krb5_keytab =   # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt> #auth_use_winbind = no  # Path for Samba's ntlm_auth helper binary. #auth_winbind_helper_path = /usr/bin/ntlm_auth  # Time to delay before replying to failed authentications. #auth_failure_delay = 2 secs  # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no  # Take the username from client's SSL certificate, using  # X509_NAME_get_text_by_NID() which returns the subject's DN's # CommonName.  #auth_ssl_username_from_cert = no  # Space separated list of wanted authentication mechanisms: #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey #   gss-spnego # NOTE: See also disable_plaintext_auth setting. auth_mechanisms = plain login  ## ## Password and user databases ##  # # Password database is used to verify user's password (and nothing more). # You can have multiple passdbs and userdbs. This is useful if you want to # allow both system users (/etc/passwd) and virtual users to login without # duplicating the system users into virtual database. # # <doc/wiki/PasswordDatabase.txt> # # User database specifies where mails are located and what user/group IDs # own them. For single-UID configuration use "static" userdb. # # <doc/wiki/UserDatabase.txt>  #!include auth-deny.conf.ext #!include auth-master.conf.ext  #!include auth-system.conf.ext #!include auth-sql.conf.ext !include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext #!include auth-static.conf.ext 

I’m sure there’s just a simple mistake but I’m not able to spot it. all help appreciated.