Ubuntu
postfix package

postfix/smtpd: fatal: no SASL authentication

Bug #1940603 reported by Todd Taft
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postfix (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

I'm trying to setup a combination IMAP/SMTP server using Dovecot and Postfix on a 20.04 system. After attempting to setup SASL authentication for postfix, the system fails with a postfix/smtpd: fatal: no SASL authentication mechanisms whenever any SMTP connection is attempted (either via a program like Thunderbird or telnet localhost 25). I'm trying to use the guide at https://ubuntu.com/server/docs/mail-postfix, but even with some of the debug settings enabled, I'm still not seeing a more useful log message. What's wrong?

My configuration:

root@kangaroo:~# apt list --installed | egrep 'postfix|dovecot|sasl'

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

dovecot-core/focal-updates,focal-security,now 1:2.3.7.2-1ubuntu3.4 amd64 [installed]
dovecot-imapd/focal-updates,focal-security,now 1:2.3.7.2-1ubuntu3.4 amd64 [installed]
libauthen-sasl-perl/focal,now 2.1600-1 all [installed,automatic]
libsasl2-2/focal,now 2.1.27+dfsg-2 amd64 [installed,automatic]
libsasl2-dev/focal,now 2.1.27+dfsg-2 amd64 [installed]
libsasl2-modules-db/focal,now 2.1.27+dfsg-2 amd64 [installed,automatic]
libsasl2-modules/focal,now 2.1.27+dfsg-2 amd64 [installed,automatic]
postfix/focal-updates,now 3.4.13-0ubuntu1 amd64 [installed]
sasl2-bin/focal,now 2.1.27+dfsg-2 amd64 [installed]

root@kangaroo:~# dovecot -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.10.0-1038-oem x86_64 Ubuntu 20.04.2 LTS
# Hostname: kangaroo.unclet.net
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
protocols = " imap"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}

root@kangaroo:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
compatibility_level = 2
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = kangaroo.unclet.net, localhost.unclet.net, localhost, localhost.localdomain
myhostname = kangaroo.unclet.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_loglevel = 4
smtpd_tls_received_header = yes
smtpd_tls_security_level = may

root@kangaroo:~# postconf -M
smtp inet n - n - - smtpd -v
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp -o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}

root@kangaroo:~# systemctl is-active dovecot
active

root@kangaroo:~# systemctl is-active postfix
active

taft@kangaroo:~$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

This is what I see in /var/log/mail.log:

Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: name_mask: all
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: inet_addr_local: configured 2 IPv4 addresses
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: inet_addr_local: configured 4 IPv6 addresses
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: process generation: 30 (30)
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? debug_peer_list
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? fast_flush_domains
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? mynetworks
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? permit_mx_backup_networks
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? qmqpd_authorized_clients
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? relay_domains
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? smtpd_access_maps
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_list_match: smtpd_client_event_limit_exceptions: no match
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: mynetworks ~? debug_peer_list
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: mynetworks ~? fast_flush_domains
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: mynetworks ~? mynetworks
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: name_mask: host
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: been_here: 127.0.0.1/32: 0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: been_here: 10.1.2.21/32: 0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: been_here: [::1]/128: 0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: been_here: [fe80::2e0:4cff:fe9d:a9eb]/128: 0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: been_here: [fe80::2e0:4cff:fe9d:aa2f]/128: 0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: been_here: [fe80::2ef0:5dff:fe46:fb7a]/128: 0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: mynetworks_core: 127.0.0.1/32 10.1.2.21/32 [::1]/128 [fe80::2e0:4cff:fe9d:a9eb]/128 [fe80::2e0:4cff:fe9d:aa2f]/128 [fe80::2ef0:5dff:fe46:fb7a]/128
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: mynetworks ~? debug_peer_list
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: mynetworks ~? fast_flush_domains
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: mynetworks ~? mynetworks
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: relay_domains ~? debug_peer_list
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: relay_domains ~? fast_flush_domains
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: relay_domains ~? mynetworks
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: relay_domains ~? permit_mx_backup_networks
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: relay_domains ~? qmqpd_authorized_clients
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: relay_domains ~? relay_domains
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: permit_mx_backup_networks ~? debug_peer_list
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: permit_mx_backup_networks ~? fast_flush_domains
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: permit_mx_backup_networks ~? mynetworks
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: permit_mx_backup_networks ~? permit_mx_backup_networks
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: connect to subsystem private/proxymap
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: send attr request = open
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: send attr table = unix:passwd.byname
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: send attr flags = 0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: private/proxymap socket: wanted attribute: status
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute name: status
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute value: 0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: private/proxymap socket: wanted attribute: flags
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute name: flags
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute value: 16
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: private/proxymap socket: wanted attribute: (list terminator)
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute name: (end)
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=fixed
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: dict_open: proxy:unix:passwd.byname
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: Compiled against Berkeley DB: 5.3.28?
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: Run-time linked against Berkeley DB: 5.3.28?
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: dict_open: hash:/etc/aliases
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? debug_peer_list
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? fast_flush_domains
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? mynetworks
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? permit_mx_backup_networks
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? qmqpd_authorized_clients
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? relay_domains
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? smtpd_access_maps
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: unknown_helo_hostname_tempfail_action = defer_if_permit
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: unknown_address_tempfail_action = defer_if_permit
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: unverified_recipient_tempfail_action = defer_if_permit
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: unverified_sender_tempfail_action = defer_if_permit
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: name_mask: 4
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: initializing the server-side TLS engine
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: auto_clnt_create: transport=local endpoint=private/tlsmgr
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: auto_clnt_open: connected to private/tlsmgr
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: send attr request = seed
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: send attr size = 32
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: private/tlsmgr: wanted attribute: status
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute name: status
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute value: 0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: private/tlsmgr: wanted attribute: seed
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute name: seed
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute value: L0isnDSApijRpjlNVB5aGF82H3bWHduc6qG5V4l16oY=
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: private/tlsmgr: wanted attribute: (list terminator)
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute name: (end)
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: send attr request = policy
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: send attr cache_type = smtpd
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: private/tlsmgr: wanted attribute: status
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute name: status
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute value: 0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: private/tlsmgr: wanted attribute: cachable
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute name: cachable
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute value: 0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: private/tlsmgr: wanted attribute: timeout
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute name: timeout
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute value: 3600
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: private/tlsmgr: wanted attribute: (list terminator)
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: input attribute name: (end)
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: fast_flush_domains ~? debug_peer_list
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_string: parent_domain_matches_subdomains: fast_flush_domains ~? fast_flush_domains
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: auto_clnt_create: transport=local endpoint=private/anvil
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: connection established
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: master_notify: status 0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: name_mask: resource
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: name_mask: software
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: connect from kangaroo.unclet.net[127.0.0.1]
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_list_match: kangaroo.unclet.net: no match
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_list_match: 127.0.0.1: no match
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_list_match: kangaroo.unclet.net: no match
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_list_match: 127.0.0.1: no match
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: smtp_stream_setup: maxtime=300 enable_deadline=0
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_hostname: smtpd_client_event_limit_exceptions: kangaroo.unclet.net ~? 127.0.0.0/8
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: match_hostaddr: smtpd_client_event_limit_exceptions: 127.0.0.1 ~? 127.0.0.0/8
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: > kangaroo.unclet.net[127.0.0.1]: 220 kangaroo.unclet.net ESMTP Postfix (Ubuntu)
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: xsasl_dovecot_server_create: SASL service=smtp, realm=(null)
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: name_mask: noanonymous
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: name_mask: noplaintext
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: xsasl_dovecot_server_connect: Connecting
Aug 17 04:07:21 kangaroo dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Aug 17 04:07:21 kangaroo dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
Aug 17 04:07:21 kangaroo dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: xsasl_dovecot_server_connect: auth reply: VERSION?1?2
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: xsasl_dovecot_server_connect: auth reply: MECH?PLAIN?plaintext
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: name_mask: plaintext
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: xsasl_dovecot_server_connect: auth reply: MECH?LOGIN?plaintext
Aug 17 04:07:21 kangaroo dovecot: auth: Debug: auth client connected (pid=0)
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: name_mask: plaintext
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: xsasl_dovecot_server_connect: auth reply: SPID?46497
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: xsasl_dovecot_server_connect: auth reply: CUID?1
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: xsasl_dovecot_server_connect: auth reply: COOKIE?f1df4b151ab753934e42c4baaa1d2620
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: xsasl_dovecot_server_connect: auth reply: DONE
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: xsasl_dovecot_server_mech_filter: skip mechanism: PLAIN
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: xsasl_dovecot_server_mech_filter: skip mechanism: LOGIN
Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: fatal: no SASL authentication mechanisms
Aug 17 04:07:22 kangaroo postfix/master[26205]: warning: process /usr/lib/postfix/sbin/smtpd pid 46495 exit status 1
Aug 17 04:07:22 kangaroo postfix/master[26205]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling

Although this step was not in the install guide I've referenced, I've tried adding sasl2-bin and editing /etc/default/saslauthd:

root@kangaroo:~# grep -v ^\# /etc/default/saslauthd |grep -v ^\$
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"

root@kangaroo:~# systemctl is-active saslauthd
active

Revision history for this message
Simon Déziel (sdeziel) wrote :

With postfix using "smtpd_sasl_type = dovecot", you shouldn't need sasl2-bin.

I think your test with telnet on port 25 will not work because you have "smtpd_sasl_security_options = noanonymous,noplaintext" which disables "plaintext" type of auth and both LOGIN and PLAIN are in the clear.

It's generally advised to enable SASL/authenticated relaying only on TCP/465 and/or TCP/587 where you can (and should) require TLS encryption. Once you use one of those port with mandatory encryption, you can set "smtpd_sasl_tls_security_options = noanonymous" (note the "tls" in the name).

For more information, please refer to those:

https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/
http://www.postfix.org/SASL_README.html#smtpd_sasl_security_options

HTH,
Simon

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you Simon,
marking the bug incomplete until clarification of your configuration hints in regard to the case.

Changed in postfix (Ubuntu):
status: New → Incomplete
Revision history for this message
Todd Taft (taft) wrote :

I didn't think the sasl2-bin package was needed, but someone else suggested I try adding it.

Even with the settings that I had, shouldn't I have seen some messages from the server on the telnet connection? (e.g. remote mail server connecting to send mail to an address where this system is the final destination, so no authentication is attempted) If I telnet to port 25 on other servers, I get a 220 message, and then it waits for some command. On this system, I get no message from the server, and the connection is closed within about a second.

Changed in postfix (Ubuntu):
status: Incomplete → New
Revision history for this message
Simon Déziel (sdeziel) wrote :

@Todd, I somehow had missed you were already using the smtpd_sasl_tls_security_options config, sorry about that. I don't understand why telnet didn't display the 220 banner as the logs suggest it was sent:

  Aug 17 04:07:21 kangaroo postfix/smtpd[46495]: > kangaroo.unclet.net[127.0.0.1]: 220 kangaroo.unclet.net ESMTP Postfix (Ubuntu)

I doubt it will make a difference but maybe try with `nc -v 127.0.0.1 25` instead?

If would be nice if you could provide the output of `sudo ss -nltp`. Also, if you don't mind, please attach the main.cf and master.cf files so I can use them to reproduce here.

Revision history for this message
Todd Taft (taft) wrote :

I don't see a 220 message with the nc command either.

State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 1 127.0.0.1:24697 0.0.0.0:* users:(("IDrive:CDP-serv",pid=15790,fd=4))
LISTEN 0 100 0.0.0.0:25 0.0.0.0:* users:(("master",pid=2515,fd=13))
LISTEN 0 4096 0.0.0.0:4000 0.0.0.0:* users:(("rpc.statd",pid=3079,fd=9))
LISTEN 0 100 0.0.0.0:993 0.0.0.0:* users:(("dovecot",pid=1471,fd=35))
LISTEN 0 100 0.0.0.0:143 0.0.0.0:* users:(("dovecot",pid=1471,fd=33))
LISTEN 0 4096 0.0.0.0:111 0.0.0.0:* users:(("rpcbind",pid=1103,fd=4),("systemd",pid=1,fd=237))
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=1137,fd=13))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1490,fd=3))
LISTEN 0 5 127.0.0.1:631 0.0.0.0:* users:(("cupsd",pid=8958,fd=7))
LISTEN 0 100 [::]:25 [::]:* users:(("master",pid=2515,fd=14))
LISTEN 0 4096 [::]:4000 [::]:* users:(("rpc.statd",pid=3079,fd=11))
LISTEN 0 100 [::]:993 [::]:* users:(("dovecot",pid=1471,fd=36))
LISTEN 0 100 [::]:143 [::]:* users:(("dovecot",pid=1471,fd=34))
LISTEN 0 4096 [::]:111 [::]:* users:(("rpcbind",pid=1103,fd=6),("systemd",pid=1,fd=239))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1490,fd=4))
LISTEN 0 5 [::1]:631 [::]:* users:(("cupsd",pid=8958,fd=6))

Revision history for this message
Todd Taft (taft) wrote :
Revision history for this message
Todd Taft (taft) wrote :
Revision history for this message
Todd Taft (taft) wrote :

Any more info you need? I was trying to follow the official Ubuntu server guide ( https://ubuntu.com/server/docs/mail-postfix ) with only a few deviations for things like a different location for SSL files. Are there more problems with that guide? Earlier in this item, you suggested moving authenticated connects off of port 25l but that doesn't happen in thus guide.

Christian Ehrhardt  (paelzer)
tags: added: server-next
Revision history for this message
Simon Déziel (sdeziel) wrote :

I finally got around to take another look, sorry for the delay. The problem is the "noplaintext" in smtpd_sasl_security_options Here's a small config diff that fixes the problem:

# diff -Naur main.cf.bug main.cf
--- main.cf.bug 2021-09-15 19:14:02.919982259 +0000
+++ main.cf 2021-09-15 19:18:04.765338947 +0000
@@ -48,8 +48,7 @@
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 smtpd_sasl_local_domain =
-smtpd_sasl_security_options = noanonymous,noplaintext
-smtpd_sasl_tls_security_options = noanonymous
+smtpd_tls_auth_only = yes
 broken_sasl_auth_clients = yes
 smtpd_sasl_auth_enable = yes
 smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

I believe this confirms the problem to be a local config one so I'll mark the bug as invalid. Let me know if the above diff doesn't make it work for you.

Changed in postfix (Ubuntu):
status: New → Invalid
Christian Ehrhardt  (paelzer)
tags: removed: server-next
Revision history for this message
Todd Taft (taft) wrote :

That change to the file does seem to prevent the error, and I appreciate the help with my immediate problem. I'm still wondering if having the program crash as it did without generating a very useful error message is desirable behavior.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.