I’m in process to setup a new virtualmin to replace an old existing one. The old one is running Virtualmin 7.7 Pro on Ubuntu 20 and new one Virtualmin 7.20.2 Pro on Debian 12.
Both are setup with Postfix, Dovecot, Procmail and Spamassassin.
I have compared settings of old and new server and they are identical. Also the new server passes the Virtualmin check without errors or warnings.
When I telnet old server on smtp port I get the welcome banner of ESMTP Postfix. On new server it connect but no banner and whatever SMTP commands I try nothing happens.
What should I check ?
If I look for postfix in system logs it’s filled with that:
Nov 29 06:16:26 nameofmyserver postfix/master[632296]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup – throttling
Nov 29 06:16:26 nameofmyserver postfix/master[632296]: warning: process /usr/lib/postfix/sbin/smtpd pid 1601487 exit status 1
I did the test as suggested in Virtualmin doc but I get a strange error:
testsaslauthd -u info -p mypass -s imap
connect() : No such file or directory
All indications I could find on Internet about that problem didn’t fix it
Thanks for the link but not better, clearly communication between dovecot and saslauth is not working: Connect to Dovecot auth socket 'private/auth' failed: No such file or directory
and postfix has still same error when starting
Dovecot does not authenticate via saslauthd, unless you have altered the configuration. That is an unrelated issue. (And, to be more clear, private/auth is not saslauthd.)
Thanks for clarification as I had read that dovecot and sasl might be linked. I’m then at lost on what to do or check to fix that problem of mail server not working
Should I delete/reinstall postfix ?
Why ? The error will be in some configuration file and not the binaries, so you may find that on delete/reinstall the configuration files are still there. It would be better to find out what is wrong rather than applying the ‘Microsoft user’ silver bullet by wasting time reinstalling
This is always a terrible instinct. It can only ever break things further.
And, even worse, in this case, it’s not even a problem with Postfix! saslauthd is not in the postfix package. saslauthd is in its own package. But, you shouldn’t go deleting that either.
Is saslauthd running? If it isn’t, why isn’t it? Look at the status of the service, and look at the journal entries for that unit while you try to restart it for clues about why it isn’t running.
If it is running…I dunno. I can’t imagine you’d have the errors you have is saslauthd is running.
I wonder if Debian 12 needs the same tweaks that Ubuntu 24 needed. @Ilia you made this change, but it’s specific to Ubuntu…is Debian 12 not doing the same thing? Ubuntu and Debian tend to follow each other on stuff like this.
The correct and default saslauthd socket directory for Debian 12 is /var/spool/postfix/var/run/saslauthd, not /var/run/saslauthd as OP reported. Unless something has changed recently, which I highly doubt.
So I rolled back all my modifications and restarted services but it’s still not working properly for postfix.
here it is:
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
#OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
START=yes
PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
It’s what I have now back in config and looks to start properly:
● saslauthd.service - LSB: saslauthd startup script
Loaded: loaded (/etc/init.d/saslauthd; generated)
Active: active (running) since Sun 2024-12-08 20:20:13 CET; 4s ago
Docs: man:systemd-sysv-generator(8)
Process: 2581652 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS)
Tasks: 5 (limit: 76913)
Memory: 3.1M
CPU: 52ms
CGroup: /system.slice/saslauthd.service
├─2581673 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
├─2581674 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
├─2581675 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
├─2581676 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
└─2581677 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
Dec 08 20:20:13 pro-5.domedia.net systemd[1]: Starting saslauthd.service - LSB: saslauthd startup script...
Dec 08 20:20:13 pro-5.domedia.net saslauthd[2581673]: : master pid is: 2581673
Dec 08 20:20:13 pro-5.domedia.net saslauthd[2581673]: : listening on socket: /var/spool/postfix/var/run/saslauthd/mux
Dec 08 20:20:13 pro-5.domedia.net saslauthd[2581652]: Starting SASL Authentication Daemon: saslauthd.
Dec 08 20:20:13 pro-5.domedia.net systemd[1]: Started saslauthd.service - LSB: saslauthd startup script.
but postfix still has an issue:
Dec 08 20:20:44 XXXXXXXX postfix/master[895371]: warning: process /usr/lib/postfix/sbin/smtpd pid 2581814 exit status 1
Dec 08 20:20:44 XXXXXXXX postfix/master[895371]: warning: process /usr/lib/postfix/sbin/smtpd pid 2581813 exit status 1
Dec 08 20:20:44 XXXXXXXX postfix/master[895371]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
Dec 08 20:20:44 XXXXXXXX postfix/master[895371]: warning: process /usr/lib/postfix/sbin/smtpd pid 2581811 exit status 1
Dec 08 20:20:13 XXXXXXXX saslauthd[2581673]: : listening on socket: /var/spool/postfix/var/run/saslauthd/mux
I think you may have accidentally misedited your /etc/postfix/master.cf file. Here’s what the default master.cf config file looks like for me on Debian 12:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.
#127.0.0.1:submission inet n - y - - smtpd
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
# Choose one: enable submissions for loopback clients only, or for any client.
#127.0.0.1:submissions inet n - y - - smtpd
#submissions inet n - y - - smtpd
# -o syslog_name=postfix/submissions
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
submission inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
smtps inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may -o smtpd_tls_wrappermode=yes
Thanks @Ilia so I changed my master.cf by your version but still the same plus an issue with Dovecot now
Dec 09 11:21:51 XXXXX postfix/master[3359806]: warning: process /usr/lib/postfix/sbin/smtpd pid 3361679 exit status 1
Dec 09 11:21:51 XXXXX postfix/master[3359806]: warning: process /usr/lib/postfix/sbin/smtpd pid 3361680 exit status 1
Dec 09 11:21:51 XXXXX postfix/master[3359806]: warning: process /usr/lib/postfix/sbin/smtpd pid 3361681 exit status 1
Dec 09 11:21:51 XXXXX postfix/smtpd[3361701]: connect from unknown[87.120.93.11]
Dec 09 11:21:51 XXXXX postfix/smtpd[3361701]: warning: SASL: Connect to Dovecot auth socket 'private/auth' failed: No such file or directory
Dec 09 11:21:51 XXXXX postfix/smtpd[3361701]: fatal: no SASL authentication mechanisms
Does your /etc/postfix/main.cf config file have the smtpd_sasl_auth_enable option set to yes. Also, is the saslauthd service running, and has it been restarted?
yes for the option in main.cf and yes also for services restarted (sasl, postfix et dovecot). Logs still quite the same but when an incoming smtp connection shows up it gives a different error:
Dec 09 18:38:13 xxxxxxxxx postfix/smtpd[3787415]: warning: xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms
Dec 09 18:38:13 xxxxxxxxx postfix/smtpd[3787415]: fatal: no SASL authentication mechanisms
Dec 09 18:38:13 xxxxxxxxx postfix/master[3717160]: warning: process /usr/lib/postfix/sbin/smtpd pid 3787357 exit status 1
Dec 09 18:38:13 xxxxxxxxx postfix/master[3717160]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
Dec 09 18:38:13 xxxxxxxxx postfix/master[3717160]: warning: process /usr/lib/postfix/sbin/smtpd pid 3787359 exit status 1
Dec 09 18:38:13 xxxxxxxxx postfix/master[3717160]: warning: process /usr/lib/postfix/sbin/smtpd pid 3787360 exit status 1
Dec 09 18:38:13 xxxxxxxxx postfix/master[3717160]: warning: process /usr/lib/postfix/sbin/smtpd pid 3787364 exit status 1
Well I’m the server administrator and I’m trying to understand what happens there. Is there a way I could reinitialise postfix/sasl/dovecot config files ? would be perhaps the best solution no ?
on install a Debian 12 in a VM and check differences of config files once installed Virtualmin in it ?
Thanks @shoulders for the link, after quite a few trial and errors I succeeded to get the whole thing nearly fully working. The server accepts incoming emails properly and able to send emails outside properly. If I use roundcube on the same server I can login in a maibolx and send/receive emails without any problems.
Only remaining issue is login with regular email apps. Each time I try to log with KMail to send an email through smtp or check Inbox through IMAP, it fails.
All I get in logs is: warning: unknown[XXXXXXX]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=xxxxxx
Is it an issue with sasl config or other stuffs to check ?
Found out the issue. I deactivated the forced option to disallow credentials in clear in Dovecot. I enforce SSL connection for smtp and imap/pop3 so I guess it’s safe right ?
and looks to start properly: