Dovecot with Postfix "no SASL authentication mechanisms"
Hi. Can someone help me please check what is wrong with my config? postfix is saying "no SASL authentication mechanisms" and I'm using dovecot. From what I read so far, it is related to my dovecot settings. Here are the details of my config http://paste.debian.net/1290864/
hello,
you have this smtpd_sasl_auth_enable = no
in your config
it should be smtpd_sasl_auth_enable=yes
Hi Cyril,
On 04/09/2023 09:38, cyril.leclerc@mantiq.com wrote:
hello,
you have this smtpd_sasl_auth_enable = no
in your config
it should be smtpd_sasl_auth_enable=yes
When I switch that setting to 'yes', I still got
"fatal: no SASL authentication mechanisms"
And a postfix server that is the MX for the domain can no longer relay message to this the one below
Sep 04 07:01:01 smtp2 postfix/relay/smtp[186183]: B61CB5FCFF: to=me@example.com, relay=smtp.example.com[1.2.3.4]:587, delay=1.3, delays=0.22/0.01/1.1/0, dsn=4.4.2, status=deferred (lost connection with smtp.example.com[1.2.3.4] while performing the EHLO handshake)
-- Willy Manga @ongolaboy https://ongola.blogspot.com/
so you have to check, when it is put on on and same error it means the sasl service could not be started, check if the service is UP on your server, then in log if there is any error about this topic,
then if i am not wrong when you put yes it means now you need smtp authentication to connect on server on client mail conf, i dont know exactly your conf
why you need sasl ? do you really need it ? if yes it has to be configured every where no ?
me@example.com in smtpd authentication have to use authentication (with username and password) than you have to configure in dovecot how to get user_query and password_query
try to look a full tuto and define if you need sasl or not ?
On 4/9/23 14:03, Willy Manga wrote:
"fatal: no SASL authentication mechanisms"
try setting in dovecot
auth_debug = yes
auth_verbose = yes
and then restart both services and check logs when the problem occurs.
Also, be aware that dovecot usually 'subcontracts' the auth process to pam, so checking the contents of
/etc/pam.d/dovecot
could be helpful
On 2023-09-04, Willy Manga wrote:
When I switch that setting to 'yes', I still got
"fatal: no SASL authentication mechanisms"
give us ls -l /var/spool/postfix/private/
Sep 04 07:01:01 smtp2 postfix/relay/smtp[186183]: B61CB5FCFF: to=me@example.com, relay=smtp.example.com[1.2.3.4]:587, delay=1.3, delays=0.22/0.01/1.1/0, dsn=4.4.2, status=deferred (lost connection with smtp.example.com[1.2.3.4] while performing the EHLO handshake)
Relay between MTA should be on port 25 with no sasl. Port 587 is for submission with sasl. If you want to stay on 587 you need to setup sasl on the sender.
. On 04/09/2023 11:03, Michel Verdier wrote:
On 2023-09-04, Willy Manga wrote:
When I switch that setting to 'yes', I still got
"fatal: no SASL authentication mechanisms"
give us ls -l /var/spool/postfix/private/
http://paste.debian.net/1290879/
Sep 04 07:01:01 smtp2 postfix/relay/smtp[186183]: B61CB5FCFF: to=me@example.com, relay=smtp.example.com[1.2.3.4]:587, delay=1.3, delays=0.22/0.01/1.1/0, dsn=4.4.2, status=deferred (lost connection with smtp.example.com[1.2.3.4] while performing the EHLO handshake)
Relay between MTA should be on port 25 with no sasl. Port 587 is for submission with sasl. If you want to stay on 587 you need to setup sasl on the sender.
I changed it to smtp (port 25)
-- Willy Manga @ongolaboy https://ongola.blogspot.com/
On September 4, 2023 8:39:33 AM UTC, Willy Manga mangawilly@gmail.com wrote:
. On 04/09/2023 11:03, Michel Verdier wrote:
On 2023-09-04, Willy Manga wrote:
When I switch that setting to 'yes', I still got
"fatal: no SASL authentication mechanisms"
give us ls -l /var/spool/postfix/private/
Since it's possible that you are using Debian or Ubuntu, you should make certain that you have libsasl2-modules installed.
It's odd that libsasl2-modules-db is a dependency of libsasl2 but libsasl2-modules isn't.
hth,
-Jim P.
. On 04/09/2023 13:00, Jim Popovitch via dovecot wrote:
On September 4, 2023 8:39:33 AM UTC, Willy Manga mangawilly@gmail.com wrote:
[...] Since it's possible that you are using Debian or Ubuntu, you should make certain that you have libsasl2-modules installed.
I'm using debian12
It was already installed
root@smtp:~# apt-cache policy libsasl2-modules libsasl2-modules: Installed: 2.1.28+dfsg-10 Candidate: 2.1.28+dfsg-10 Version table: *** 2.1.28+dfsg-10 500 500 http://deb.debian.org/debian bookworm/main amd64 Packages 100 /var/lib/dpkg/status
-- Willy Manga @ongolaboy https://ongola.blogspot.com/
cyril.leclerc@mantiq.com skrev den 2023-09-04 07:38:
you have this smtpd_sasl_auth_enable = no
in postfix main.cf this is default, dont make it yes :)
in your config it should be smtpd_sasl_auth_enable=yes
in postfix master.cf make this yes, not in global scopes
unsure show postconf -nf, postconf -Mf
- mangawilly@gmail.com mangawilly@gmail.com:
Hi. Can someone help me please check what is wrong with my config? postfix is saying "no SASL authentication mechanisms" and I'm using dovecot. From what I read so far, it is related to my dovecot settings. Here are the details of my config http://paste.debian.net/1290864/
Please verify and show that /var/spool/postfix/private/auth has been created with correct permissions.
p@rick
-- Patrick Ben Koetter p@state-of-mind.de
. On 04/09/2023 09:02, mangawilly@gmail.com wrote:
Hi. Can someone help me please check what is wrong with my config? postfix is saying "no SASL authentication mechanisms" and I'm using dovecot. From what I read so far, it is related to my dovecot settings. Here are the details of my config http://paste.debian.net/1290864/ Thank you for all the feedbacks received either here or on IRC ..
I updated a little bit my configuration . Here is the current one with at the top the error I get if I try to send over submissions (port 465)
http://paste.debian.net/1290927/
-- Willy Manga @ongolaboy https://ongola.blogspot.com/
Hi Willy,
On 04.09.23 19:54, Willy Manga wrote:
I updated a little bit my configuration . Here is the current one with at the top the error I get if I try to send over submissions (port 465)
could you please try the following changes:
remove
smtpd_sasl_security_options = noanonymous, noplaintext
from your main.cf
just to be sure, add the follwoing:
-o smtpd_sasl_security_options=noanonymous
to both the 'submission' _and_ the 'submissions' entries of your master.cf
the submission entry of master.cf is missing an:
-o smtpd_sasl_type=dovecot
Restart Postfix, have a look at the log and try to send e. g. via submissions / port 465.
Regards, Markus
Hi Markus,
On 04/09/2023 23:11, Markus Winkler wrote:
Hi Willy,
On 04.09.23 19:54, Willy Manga wrote:
I updated a little bit my configuration . Here is the current one with at the top the error I get if I try to send over submissions (port 465)
could you please try the following changes: [...] Restart Postfix, have a look at the log and try to send e. g. via submissions / port 465.
It works now ! Thank you very much.
I changed my settings as per your recommandation ( http://paste.debian.net/1290945/ )
Was it because I disabled 'plaintext' while at the same time allowing it through Dovecot?
-- Willy Manga @ongolaboy https://ongola.blogspot.com/
Hi Willy,
On Mon, 04 Sep 2023 at 09:32:02PM +0000, Willy Manga wrote:
It works now !
thanks for the feedback - I'm glad to hear that it works. :)
Was it because I disabled 'plaintext' while at the same time allowing it through Dovecot?
Not only allowing, you force it ;-):
doveconf -n [...] auth_mechanisms = plain login --------------------^^^^^^^^^^^
But that's OK and the only thing you had to do was enabling plaintext on the Postfix side.
Best regards, Markus
On 2023-09-04, Willy Manga wrote:
It works now ! Thank you very much.
I changed my settings as per your recommandation ( http://paste.debian.net/1290945/ )
Was it because I disabled 'plaintext' while at the same time allowing it through Dovecot?
dovecot with PAM needs plaintext method. So if postfix disable it they can't share a method.
https://doc.dovecot.org/configuration_manual/authentication/authentication_m...
On 5/9/23 14:31, Michel Verdier wrote:
dovecot with PAM needs plaintext method. So if postfix disable it they can't share a method.
You have to be careful to require any plaintext client password to travel over a TLS secured connection
smtpd_tls_auth_only = yes
More generally, it's good practice to use preferred ciphers and protocols. This is part of my postfix configuration:
# TLS parameters
tls_random_source = dev:/dev/urandom
smtpd_use_tls = yes smtp_use_tls = yes smtp_tls_note_starttls_offer = yes
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_security_level = may smtpd_tls_ask_ccert = yes
smtpd_tls_security_level = may smtpd_tls_auth_only = yes
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtp_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem smtp_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# From Redhat # Alternat Protocols TLSv1.2 only
smtpd_tls_mandatory_protocols = !SSLv2 smtpd_tls_protocols = !SSLv2 smtp_tls_mandatory_protocols = !SSLv2 smtp_tls_protocols = !SSLv2
# Ciphers # Currently recommended ciphers, excluding DES-based ciphers to avoid SWEET32 attack # and remove SHA1-based ciphers, leaves SHA256 & SHA256 variations
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2 smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SHA
smtp_tls_ciphers = high smtpd_tls_ciphers = high
# End from Redhat
participants (9)
-
Benny Pedersen
-
cyril.leclerc@mantiq.com
-
jeremy ardley
-
Jim Popovitch
-
mangawilly@gmail.com
-
Markus Winkler
-
Michel Verdier
-
Patrick Ben Koetter
-
Willy Manga