2

I have postfix + dovecot + pgsql. All has been working. Recently I've changed something in the config to combat spam. Now I see this in the logs:

localhost postfix/smtpd[2299]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support localhost postfix/smtpd[2299]: warning: restriction `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support localhost postfix/smtpd[2299]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support localhost postfix/smtpd[2299]: warning: restriction `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support

But!

$ postconf -a cyrus dovecot

And

$ ldd /usr/sbin/postfix | grep sasl libsasl2.so.3 => /usr/lib/libsasl2.so.3 (0x00007f9508e75000)

If I remember correctly, I installed postfix via "pacman".

Why the warning and how to fix it?

upd1:

sudo postconf | grep -i smtpd_sasl smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_exceptions_networks = smtpd_sasl_local_domain = smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_service = smtp smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot

upd2:

in master.cf I've found this:

 smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=no

Can this be the reason?

upd3:

also:

submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated, reject -o smtpd_recipient_restrictions=permit_sasl_authenticated, reject
Improve this question
14
  • But are they enabled? Please add the contents of postconf | grep -i smtpd_sasl. In my case, with dovecot, I have these 3 values specifically set: smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes Commented Dec 26, 2018 at 20:38
  • Sasl is a little bit funny on Postfix, you need to use saslauthd and configure them to work together. Sometimes surprising error messages are possible, but it can be done. A strace would be highly useful. Commented Dec 26, 2018 at 21:22
  • @StephenHarris see my update Commented Dec 26, 2018 at 22:01
  • @peterh I don't understand Commented Dec 26, 2018 at 22:01
  • Is the postfix user in the sasl group? ... or said another way... The postfix user needs to be able to access the dovecot sasl unix socket... see here Commented Dec 27, 2018 at 14:29

1 Answer 1

Reset to default
0

I'm going to start by assuming that in your case you send and receive mail using the same IP address (what's termed a smart host).

In this scenario mail will usually be submitted for sending by yourself on port 587 but received on port 25.

Why is this important? Because in this configuration postfix will use the port to identify how to treat the connection.

Lets look at some real logs from my SMTP server - the first from a connection on port 25

Nov 26 07:33:45 box postfix/smtpd[128819]: connect from host86-157-106-5.range86-157.btcentralplus.com[86.157.106.5] Nov 26 07:35:01 box postfix/smtpd[128819]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support Nov 26 07:35:02 box postfix/smtpd[128819]: NOQUEUE: reject: RCPT from host86-157-106-5.range86-157.btcentralplus.com[86.157.106.5]: 554 5.7.1 Service unavailable; Client host [86.157.106.5] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/86.157.106.5; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<desktop> Nov 26 07:35:13 box postfix/smtpd[128819]: disconnect from host86-157-106-5.range86-157.btcentralplus.com[86.157.106.5] ehlo=2 starttls=1 auth=0/1 mail=1 rcpt=0/1 quit=1 commands=5/7

Now from a connection on the same IP address using port 587

Nov 26 07:40:53 box postfix/smtpd[130170]: disconnect from unknown[185.218.234.97] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=4/5 Nov 26 07:43:12 box postfix/submission/smtpd[130244]: connect from host86-157-106-5.range86-157.btcentralplus.com[86.157.106.5] Nov 26 07:43:31 box postfix/submission/smtpd[130244]: warning: host86-157-106-5.range86-157.btcentralplus.com[86.157.106.5]: SASL plain authentication failed: Nov 26 07:43:36 box postfix/submission/smtpd[130244]: disconnect from host86-157-106-5.range86-157.btcentralplus.com[86.157.106.5] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5

For each connection I used the same AUTH PLAIN command. AUTH PLAIN

So what's going on.

Lets start by saying that in an ideal scenario the client will send AUTH PLAIN on it's own and then receive the response 334 from the server - assuming that the authentication method is supported. Then the client will send the authentication info.

However AUTH PLAIN does allow you to send the whole lot in one command by adding the authentication string to the same line. In which case it will forgo the 334 line and just jump straight in with the authentication.

250 SMTPUTF8 ehlo desktop 250-box.timothydutton.co.uk 250-PIPELINING 250-SIZE 134217728 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8 auth plain <base64 string with email address and wrong password> 535 5.7.8 Error: authentication failed: quit 221 2.0.0 Bye closed

The above was actually taken from the second connection attempt on port 587

However because port 25 is used for receiving mail. SASL is not used. What happens is that the server should be configured that all connections on port 25 will only accept rcpt: to addresses belonging to that server. This stops the server from being used as an open relay.

So what's happening is the server is processing the additional info in the AUTH PLAIN command and saying, well it's wrong, but it doesn't matter as I don't actually use authentication on this port.

We see from the response in the first example that the server does have other defences in play.

Note: I own the server used to show the connection examples.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.