Dale C. Anderson's questions

I recently installed fail2ban which has begun blocking bad ssh attempts.

I also set up an additional filter to permanently ban repeat offenders.

I notice now that there are some entries in my iptables that are there as DNS hostnames instead of raw IP addresses, which is obviously a terrible idea.

I have added use_dns = no in my /etc/fail2ban/fail2ban.conf, and have added UseDNS no to /etc/ssh/sshd_config. I've restarted both services, but those iptables entries still are showing up as host names instead of IP addresses.

What else could be causing the dns names? The permanent list of banned ips are being stored as raw IPs, so the translation seems to be happening behind the scenes as they are added by fail2ban at startup.

After doing a major Ubuntu dist upgrade from 10.04 to 12.04, my virtual-user postfix / dovecot installation only offers "PLAIN" SMTP Authentication mechanism.

It used to offer PLAIN + LOGIN mechanisms, and I have tried everything under the sun to get the the LOGIN one back again, but it just won't do it.

Without the "LOGIN" version, a lot of MS-based clients (windows live, outlook express) can no longer send mail using SMTP Auth. I've had to put their IP addresses in to my 'mynetworks' list.

I even tried setting up a from-scratch postfix+dovecot+virtual users smtp server with 12.04.1, thinking that it had to be something to do with the upgrade, but can't get anything more than AUTH PLAIN to be offered on the new system either.

Has anyone successfully set up a working postfix + dovecot + virtual users mail server on 12.04 that properly does SMTP Auth?

My current dovecot config: http://pastie.org/5651874

and current postfix config: http://pastie.org/5651882

.

FYI here are the excerpts of configurations I've tried:

(A):

/etc/dovecot/conf.d/10-auth.conf:

auth_mechanisms = plain login

/etc/dovecot/conf.d/10-master.conf:

service auth {
  unix_listener auth-userdb {
  }
  inet_listener {
    port = 12345
  }
}

/etc/postfix/main.cf

smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = inet:127.0.0.1:12345

Results in

... warning: SASL: Connect to inet:127.0.0.1:12345 failed: Connection refused
... fatal: no SASL authentication mechanisms

from my logs.

.

.

And (B):

/etc/dovecot/conf.d/10-auth.conf:

auth_mechanisms = plain login

/etc/dovecot/conf.d/10-master.conf:

service auth {
  unix_listener auth-userdb {
  }
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
}

/etc/postfix/main.cf

smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

Results in only the PLAIN mechanism being offered.

.

The documentation that adaptr referenced in his answer doesn't have any example of the UNIX socket style config for Dovecot 2, so I'm hoping that someone with more experience can guide me here.

I see a lot of the time that the same settings can be specified in both main.cf, and also in master.cf using the -o prefix.

My question is, does one override the other, and if so, which file is given priority if the same setting (with a different value) is found in both?

For instance, if

smtpd_tls_auth_only=yes

was specified in main.cf, but

-o smtpd_tls_auth_only=no 

was specified in master.cf, which one would postfix pay attention to?