Able to send from localhost only when connect from outside getting 535 5.7.8 Error: authentication failed: authentication failure

OS type and version Ubuntu 20
Virtualmin version latest stable
Mail log:
May 14 23:46:45 vmi1727893 postfix/smtpd[279655]: warning: unknown[]: SASL LOGIN authentication failed: authentication failure

May 14 23:46:45 vmi1727893 postfix/smtpd[279655]: lost connection after AUTH from unknown[]

May 14 23:46:45 vmi1727893 postfix/smtpd[279655]: disconnect from unknown[] ehlo=1 auth=0/1 rset=1 commands=2/3

journalctl -x -e shows the following

May 14 23:47:14 postfix/smtpd[279655]: connect from unknown[]
May 14 23:47:14 saslauthd[277160]: pam_unix(smtp:auth): check pass; user unknown
May 14 23:47:14 saslauthd[277160]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
May 14 23:47:16 saslauthd[277160]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
May 14 23:47:16 saslauthd[277160]:                 : auth failure: [user=cooter] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
May 14 23:47:16 postfix/smtpd[279655]: warning: unknown[]: SASL LOGIN authentication failed: authentication failure

But webmail sending fine and I am able to connect to imap so it looks like there is some misconfiguration and postfix either use another database(it’s own) and not the one that dovecot use. However in config files there is no explicit other databases and it seems that use /etc/passwd

I am running out of ideas what else may cause this issue :frowning: please help! config file:

# See /usr/share/postfix/ for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_security_level = may

smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname,,, , localhost
relayhost = 
mynetworks = [::ffff:]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
allow_percent_hack = no
resolve_dequoted_address = no
tls_server_sni_maps = hash:/etc/postfix/sni_map
milter_default_action = accept
smtpd_milters = inet:
non_smtpd_milters = inet:

Here is /etc/default/saslauthd


# Settings for saslauthd daemon

# Please read /usr/share/doc/sasl2-bin/README.Debian for details.


# Should saslauthd run automatically on startup? (default: no)


# Description of this saslauthd instance. Recommended.

# (suggestion: SASL Authentication Daemon)

DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.

# (suggestion: saslauthd)


# Which authentication mechanisms should saslauthd use? (default: pam)


# Available options in this Debian package:

# getpwent -- use the getpwent() library function

# kerberos5 -- use Kerberos 5

# pam -- use PAM

# rimap -- use a remote IMAP server

# shadow -- use the local shadow password file

# sasldb -- use the local sasldb database file

# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)


# Only one option may be used at a time. See the saslauthd man page

# for more information.


# Example: MECHANISMS="pam"


# Additional options for this mechanism. (default: none)

# See the saslauthd man page for information about mech-specific options.


# How many saslauthd processes should we run? (default: 5)

# A value of 0 will fork a new process for each connection.


# Other options (default: -c -m /var/run/saslauthd)

# Note: You MUST specify the -m option or saslauthd won't run!



# The -d option will cause saslauthd to run in the foreground instead of as

# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish

# to run saslauthd in debug mode, please run it by hand to be safe.


# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.

# See the saslauthd man page and the output of 'saslauthd -h' for general

# information about these options.


# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"

# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"


# To know if your Postfix is running chroot, check /etc/postfix/

# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"

# then your Postfix is running in a chroot.

# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT

# running in a chroot.

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"

Pretty sure your OPTIONS for /etc/default/saslauthd should also have -r. Not sure why you don’t have it, the installer would have set it that way.

And, make sure you’re actually using the full username. Usermin will do some clever things and try to make it work, even if you don’t give it the full username (e.g. if you connect to https://domain.tld:20000 and login as joe, it’ll try to authenticate for user joe@domain.tld, too, but Postfix will not try to correct an incomplete username…and without -r saslauthd will treat the domain name wrong, too).

That was it! thank you very much

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.