2

I configured postfix and dovecot as specified in http://www.postfix.org/SASL_README.html#server_dovecot_comm description to activate sasl authentication.

Unfortunately postfix rejects every connections with the following error showing in the log

postfix/smtpd[5238]: fatal: no SASL authentication mechanisms

I'm using Ubuntu LTS 10.04.

Googling around I saw many people reporting this obscure error without describing a clear diagnostic. It is not clear if the problem is on dovecot side or postfix side.

UPDATE: postfix sasl configuration obtained with postconf | grep -e "^smtpd.*sasl"

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/access, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client korea.services.net smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_exceptions_networks = smtpd_sasl_local_domain = smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot

When trying to connect wit telnet localhost 25 the connection is immediately closed with the above message. Commenting out smtpd_sasl_auth_enable = yes disables sasl and connection completes normally.

Dovecot configuration obtained with dovecot -n

# 1.2.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-41-generic i686 Ubuntu 10.04.4 LTS log_timestamp: %Y-%m-%d %H:%M:%S protocols: imaps ssl_cert_file: /home/xxxx/cacert/xxxx.net/server.crt ssl_key_file: /home/xxxx/cacert/xxxx.net/server.key verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_privileged_group: mail mail_location: maildir:~/Maildir mbox_write_locks: fcntl dotlock auth default: mechanisms: plain login passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix

Real values hidden with xxxx 

root@xxxx:/etc/postfix# stat /var/spool/postfix/private/auth File: «/var/spool/postfix/private/auth» Size: 0 Blocks: 0 IO Block: 4096 socket Device: 801h/2049d Inode: 6817165 Links: 1 Access: (0660/srw-rw----) Uid: ( 111/ postfix) Gid: ( 120/ postfix) Access: 2012-08-10 16:47:06.000000000 +0200 Modify: 2012-08-10 16:46:09.000000000 +0200 Change: 2012-08-10 16:46:09.000000000 +0200

UPDATE: the error is removed if I change smtpd_tls_auth_only = no to smtpd_tls_auth_only = yes. Now I can receive mail to local mailbox from remote hosts.

I have to configure my MUA to connect with STARTTLS to be able to connect. If I try to connect with SSL/TLS the connections hangs. With STARTTLS, the connection is established, but as anonymous and thus mail relay is rejected which is what I wanted to enable. Here is what I see in syslog.

postfix/smtpd[7715]: connect from unknown[192.168.2.17] postfix/smtpd[7715]: setting up TLS connection from unknown[192.168.2.17] postfix/smtpd[7715]: Anonymous TLS connection established from unknown[192.168.2.17]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

UPDATE dovecot auth_debug output when trying to relay mail through postfix server. This is probably a postfix configuration problem. 

postfix/smtpd[8186]: connect from unknown[192.168.2.17] postfix/smtpd[8186]: setting up TLS connection from unknown[192.168.2.17] postfix/smtpd[8186]: Anonymous TLS connection established from unknown[192.168.2.17]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) dovecot: auth(default): new auth connection: pid=8186 dovecot: auth(default): client in: AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=192.168.2.3#011rip=192.168.2.17#011secured#011resp=<hidden> home dovecot: auth-worker(default): pam(yyyy,192.168.2.17): lookup service=dovecot home dovecot: auth-worker(default): pam(yyyy,192.168.2.17): #1/1 style=1 msg=Password: home dovecot: auth(default): client out: OK#0111#011user=yyyy postfix/smtpd[8186]: NOQUEUE: reject: RCPT from unknown[192.168.2.17]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.2.17]> postfix/smtpd[8186]: disconnect from unknown[192.168.2.17]

This means that postfix properly communicates with dovecot and I assume that authentication works since dovecot returns Ok at the end of its transaction.

Sending to a local account works and my MUA uses TLS as expected. Thus the only problem left is allowing relay for authenticated users. I thought that 

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

would be enough after reading the postfix documentation.

SOLUTION: When commenting out the smtpd_sender_restriction parameter relay was possible. I found it by commenting out suspicious arguments one by one. I don't know what might be blocking mail relay in it. 

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, reject_unauth_destination, reject_unauth_pipelining, reject_unknown_sender_domain regexp:/etc/postfix/forbid_from
Improve this question
3
  • Could you post your postfix configuration related with sasl auth ? Commented Aug 10, 2012 at 12:32
  • Do I have to do something special for dovecot configuration ? I added the socket listen {} which is apparently correctly taken in account. Commented Aug 10, 2012 at 13:26
  • At least I would like that no authenticated users can submit mails to local users. It is relay only that should be blocked. Commented Aug 10, 2012 at 13:45

2 Answers 2

Reset to default
2

We can probably troubleshoot this with a few questions:

  • Is dovecot running?
  • Can you authenticate to it with an IMAP/POP client?
  • Is there a socket available at /var/spool/postfix/private/auth?
  • Is the socket readable/writeable by the postfix user?

If the answer to any of these questions is 'No', we have found your problem. If the answers are all 'Yes', please post doveconf -n

Improve this answer
4
  • The answer to all these questions are yes. Commented Aug 10, 2012 at 15:11
  • postconf -a to verify that your postfix has support for dovecot sasl. Then start looking at dovecot logs (make sure you have dovecot logging turned up enough): please post dovecot's log of an auth attempt. Commented Aug 10, 2012 at 15:41
  • Yes, my postfix has support for dovecot. I failed to set auth_debug_passwords=yes. It is not shown with dovecot -n. Commented Aug 10, 2012 at 16:04
  • auth_debug = yes works. See debug output. I don't know what to think about it. Commented Aug 10, 2012 at 16:19
1

I solved the problem myself.

The parameter causing the relay to fail is 

smtpd_sender_restrictions = ..., reject_unauth_destination, ...

Once removed, relay was possible for sasl authenticated users.

Improve this answer
1
  • reject_unauth_destination should be in the smtpd_recipient_restrictions! moreover you should add permit_sasl_authenticated at the first option in the smtpd_sender_restrictions Commented Aug 11, 2013 at 19:03

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.