Postfix not accepting SASL user auth password

justinwpw · January 10, 2010, 9:56pm

Hi

I’m trying to use my Postfix smtp server with the Thunderbird email client running from another PC over the Internet.

It connects to the mail server, requests my password but does not accept it. It keeps asking me again to enter my password. The password is correct.

Any ideas?

Thanks!

justinwpw · January 11, 2010, 5:12pm

Anyone able to help on this one?

Eric · January 11, 2010, 5:16pm

Take a peek in the logs – exactly which one depends on your distro, but start with the mail logs… /var/log/mail.log or /var/log/maillog.

Do you see any errors in there during the time you’re trying to authenticate?

-Eric

justinwpw · January 11, 2010, 6:12pm

Just tried to authenticate. Here’s the log. Appears to be because my external IP address accessed via my router is not listed for hostname dsldevice.lan. How do I associate my external IP address with hostname dsldevice.lan?

Jan 11 18:04:59 ns1 postfix/smtpd[11021]: warning: xxx.xxx.xxx.xxx: address not listed for hostname dsldevice.lan
Jan 11 18:04:59 ns1 postfix/smtpd[11021]: connect from unknown[xxx.xxx.xxx.xxx]
Jan 11 18:05:05 ns1 postfix/smtpd[11021]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
Jan 11 18:05:05 ns1 postfix/smtpd[11021]: warning: SASL authentication failure: Password verification failed
Jan 11 18:05:05 ns1 postfix/smtpd[11021]: warning: unknown[xxx.xxx.xxx.xxx]: SASL PLAIN authentication failed: generic failure
Jan 11 18:05:05 ns1 postfix/smtpd[11021]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
Jan 11 18:05:05 ns1 postfix/smtpd[11021]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: generic failure
Jan 11 18:05:06 ns1 postfix/smtpd[11021]: disconnect from unknown[xxx.xxx.xxx.xxx]

Eric · January 11, 2010, 6:30pm

Well, the issue that appears to be occurring above looks like a problem with Postfix talking to the saslauth daemon.

I’ve seen that occur on older Ubuntu/Debian installs (in theory, that should be corrected with the current install.sh script).

However, to resolve it, run this command as root:

usermod -a -G sasl postfix

And then restart Saslauthd:

/etc/init.d/saslauthd restart

And then give it another shot, that should do the trick!

-Eric

justinwpw · January 11, 2010, 7:31pm

Thanks Eric, it works now:-)

justinwpw · January 12, 2010, 8:40am

Yes, it works for sending email from the Thunderbird client, but on downloading email, it tries to connect to the server and times out after about 20 secs.

I expect that is a separate problem to the one above. I’ve got some 904 short email messages in the Inbox on the server; only a total of 1.64 MB.

I’m using the SSL option for the Thunderbird settings.

justinwpw · January 12, 2010, 7:02pm

I can send mail, but cannot receive mail. It tries to connect but times out.

Help required???

Eric · January 12, 2010, 7:06pm

I’d expect to see a problem like that if your ISP was blocking port 25 (which many do these days).

If that’s the case, there’s not much you’d be able to do to resolve that, unfortunately…

-Eric

justinwpw · January 12, 2010, 7:57pm

Nope, port 25 is not blocked by my ISP. Neither is port 110. I just checked with CanYouSeeMe.org.

It’s obviously something else causing the problem.

Eric · January 12, 2010, 8:07pm

Well, I guess I’m not sure I understand the problem… if clients are timing out when trying to send you a message, I’m not sure it makes sense that the canyouseeme.org site thinks you’re online – in theory, that would timeout too.

What’s an example domain name you’re having trouble with? (you can always mask it out later after we resolve all this)

-Eric

justinwpw · January 12, 2010, 8:23pm

Have a look at example.uk. Thanks. As I said, using Thunderbird from another PC on the same network, I can SEND emails using the mail.example.uk smtp server, but I can’t receive (download) emails from the Inbox on this server. I CAN access the Inbox of this mailbox using Usermin web interface, but thats using a different method.

Eric · January 13, 2010, 3:44am

I’m able to connect to Dovecot on both port 110 (POP) and port 143 (IMAP) without any problems.

If you’re getting timeouts connecting to those ports, it may be a network issue of some kind. Are you seeing any errors in the logs when you try?

-Eric

justinwpw · January 13, 2010, 8:13am

It was a silly error caused by not opening a port on my NAT router. By using the SSL (port 993) setting on Thunderbird, I was able to download my emails from the server.

However, I have been experimenting with the Thunderbird settings. It seems that it will not connect if I use the TLS (port 143) setting. Yes, the port is open on my router. In Postfix, it says that I have TLS enabled for the SMTP server??? I WAS able to connect and download using the SSL setting.

But now I’m unable to connect at all through Thunderbird. Says server will not allow me to connect. Is that a security feature caused by all my experimenting? How do I override it?

Eric · January 13, 2010, 1:54pm

Hmm, well, port 143 is generally the plain text (and non-TLS) port. If Thunderbird is setup to use TLS for that port, unless there’s something non-typical setup on your server, I suspect that wouldn’t work.

If you disable TLS, and just use plain text to access port 143, does that work?

-Eric

Eric · January 13, 2010, 6:09pm

It sounds like “disable_plaintext_auth” may be set to “yes”.

Open up /etc/dovecot/dovecot.conf, and make sure that disable_plaintext_auth is set to “no”, then restart Dovecot.

-Eric

justinwpw · January 13, 2010, 6:11pm

It may or may not be relevant, but I have the following under SMTP Server Options:

Restrictions on recipient addresses: permit_mynetworks permit_sasl_authenticated myorigin = $mydomain reject_unauth_destination

I’m not sure about the myorigin = $mydomain, because I am operating a virtual server environment with Virtualmin. I remember that myorigin = $mydomain had to be taken out of the Postfix main.cf file to get Postfix to work with the virtual servers.

justinwpw · January 13, 2010, 6:19pm

In dovecot.conf, I have:

Disable LOGIN command and all other plaintext authentications unless

SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP

matches the local IP (ie. you’re connecting from the same computer), the

connection is considered secure and plaintext authentication is allowed.

#disable_plaintext_auth = yes

So, it is not set to yes.

justinwpw · January 13, 2010, 6:25pm

Hi, after disabling TLS and deselecting TLS on the Thinderbird client, I get the following error from Thunderbird:

“You cannot login to mail.domain.co.uk because the server has disabled login. You may need to connect via SSL or TLS. Please check the account settings for your mail server.”

These are my settings in Postfix:

Module Index
SMTP Authentication And Encryption

SMTP Authentication And Encryption
Enable SASL SMTP authentication? Yes Handle non-compliant SMTP clients? Yes
SMTP security options
Reject anonymous logins Yes
Reject plain-text logins No
SMTP relaying restrictions
Allow connections from same network Yes
Allow connections from this system No
Reject clients with no reverse hostname NO
Allow authenticated clients Yes
Reject email to other domains Yes
Allow only relay domains No
Allow domains this system is a backup MX for No
Delay clients with failed logins? Yes
Enable TLS encryption? Yes
TLS certificate file Yes
TLS private key file Yes
TLS certificate authority file None

Eric · January 13, 2010, 6:26pm

Well, I believe it defaults to use unless told otherwise.

Try explicitly setting it to “no”.

-Eric