Postfix with Dovecot SASL Authentication Error

Webmin
1

Hello guys!

I’m using webmin and virtualmin to configure my mail server. And for that I get up my postfix, dovecot and saslauthd services.
But when I sent an test mail from my Gmail to my server, I get this error:

fatal: no SASL authentication mechanisms

Here is all my configuration files and log files, to help us:

Nov 4 14:42:49 ns1 postfix/postfix-script[2147]: stopping the Postfix mail system
Nov 4 14:42:49 ns1 postfix/master[1340]: terminating on signal 15
Nov 4 14:42:49 ns1 postfix/postfix-script[2228]: starting the Postfix mail system
Nov 4 14:42:49 ns1 postfix/master[2230]: daemon started – version 2.10.1, configuration /etc/postfix
Nov 4 14:45:37 ns1 postfix/smtpd[2314]: connect from mail-oi0-f51.google.com[209.85.218.51]
Nov 4 14:45:37 ns1 postfix/smtpd[2314]: fatal: no SASL authentication mechanisms
Nov 4 14:45:38 ns1 postfix/master[2230]: warning: process /usr/libexec/postfix/smtpd pid 2314 exit status 1
Nov 4 14:45:38 ns1 postfix/master[2230]: warning: /usr/libexec/postfix/smtpd: bad command startup – throttling
Nov 4 14:47:18 ns1 postfix/anvil[2317]: statistics: max connection rate 1/60s for (smtp:209.85.218.51) at Nov 4 14:45:37
Nov 4 14:47:18 ns1 postfix/anvil[2317]: statistics: max connection count 1 for (smtp:209.85.218.51) at Nov 4 14:45:37
Nov 4 14:47:18 ns1 postfix/anvil[2317]: statistics: max cache size 1 at Nov 4 14:45:37
/var/log/maillog

Nov 04 14:45:37 auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
Nov 04 14:45:37 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
Nov 04 14:45:37 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Nov 04 14:45:37 auth: Debug: auth client connected (pid=0)
/var/log/dovecot.debug

Nov 04 14:43:28 anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Nov 04 14:43:28 log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Nov 04 14:43:28 master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Nov 04 14:43:28 master: Info: Dovecot v2.2.10 starting up for imap, pop3 (core dumps disabled)
/var/log/dovecot.info
Proccess killed because I restarted the service, so ignore that, please.

[root@ns1 ~]# systemctl status dovecot -l
dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2016-11-04 14:43:28 BRST; 35s ago
Process: 2246 ExecStartPre=/usr/libexec/dovecot/prestartscript (code=exited, status=0/SUCCESS)
Main PID: 2250 (dovecot)
CGroup: /system.slice/dovecot.service
├─2250 /usr/sbin/dovecot -F
├─2251 dovecot/anvil
├─2252 dovecot/log
└─2254 dovecot/config

Nov 04 14:43:28 ns1.domain.com.br systemd[1]: Starting Dovecot IMAP/POP3 email server…
Nov 04 14:43:28 ns1.domain.com.br systemd[1]: Started Dovecot IMAP/POP3 email server.
systemctl status dovecot -l

[root@ns1 ~]# systemctl status postfix -l
postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2016-11-04 14:42:49 BRST; 1min 55s ago
Process: 2141 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)
Process: 2158 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
Process: 2154 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
Process: 2152 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
Main PID: 2230 (master)
CGroup: /system.slice/postfix.service
├─2230 /usr/libexec/postfix/master -w
├─2231 pickup -l -t unix -u
└─2232 qmgr -l -t unix -u

Nov 04 14:42:49 ns1.domain.com.br systemd[1]: Starting Postfix Mail Transport Agent…
Nov 04 14:42:49 ns1.domain.com.br postfix/postfix-script[2228]: starting the Postfix mail system
Nov 04 14:42:49 ns1.domain.com.br postfix/master[2230]: daemon started – version 2.10.1, configuration /etc/postfix
Nov 04 14:42:49 ns1.domain.com.br systemd[1]: Started Postfix Mail Transport Agent.
systemctl status postfix -l

[root@ns1 ~]# systemctl status saslauthd -l
saslauthd.service - SASL authentication daemon.
Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2016-11-03 12:19:08 BRST; 1 day 2h ago
Process: 1978 ExecStart=/usr/sbin/saslauthd -m $SOCKETDIR -a $MECH $FLAGS (code=exited, status=0/SUCCESS)
Main PID: 1979 (saslauthd)
CGroup: /system.slice/saslauthd.service
├─1979 /usr/sbin/saslauthd -m /run/saslauthd -a pam -r
├─1980 /usr/sbin/saslauthd -m /run/saslauthd -a pam -r
├─1981 /usr/sbin/saslauthd -m /run/saslauthd -a pam -r
├─1982 /usr/sbin/saslauthd -m /run/saslauthd -a pam -r
└─1983 /usr/sbin/saslauthd -m /run/saslauthd -a pam -r

Nov 03 12:19:08 ns1.domain.com.br systemd[1]: Starting SASL authentication daemon…
Nov 03 12:19:08 ns1.domain.com.br saslauthd[1979]: detach_tty : master pid is: 1979
Nov 03 12:19:08 ns1.domain.com.br saslauthd[1979]: ipc_init : listening on socket: /run/saslauthd/mux
Nov 03 12:19:08 ns1.domain.com.br systemd[1]: Started SASL authentication daemon…
systemctl status saslauthd -l

# MY CONFIGS
myhostname = mail.domain.com.br
mydomain = domain.com.br
myorigin = $mydomain
inet_protocols = ipv4
mydestination = $myhostname, localhost, ns1.domain.com.br
mynetworks = 168.100.189.0/28, 127.0.0.0/8
relay_domains = $mydestination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
recipient_bcc_maps = hash:/etc/postfix/bcc
queue_directory = /var/spool/postfix

SASL

broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous noplaintext
smtpd_sasl_local_domain = domain.com.br
smtpd_recipient_restrictions = check_policy_service unix:/var/spool/postfix/postgrey/socket

TLS

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/ssl/mail.domain.com.br.key
smtpd_tls_cert_file = /etc/postfix/ssl/mail.domain.com.br.crt
smtpd_tls_security_level=encrypt
smtpd_tls_auth_only = yes
smtpd_sasl_tls_security_options = noanonymous, noplaintext

OTHERS

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
/etc/postfix/main.cf

smtp inet n - n - - smtpd /etc/postfix/master.cf

protocols = imap pop3
listen = *
/etc/dovecot/dovecot.conf

disable_plaintext_auth = no
auth_mechanisms = plain login
/etc/dovecot/10-auth.conf

service auth {
unix_listener auth-userdb {
#mode = 0660
#user = postfix
#group = postfix
}

Postfix smtp-auth

unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}

Auth process is run as this user.

#user = $default_internal_user
}
/etc/dovecot/10-master.conf

log_path = /var/log/dovecot.info
info_log_path = /var/log/dovecot.info
debug_log_path = /var/log/dovecot.debug
auth_verbose = yes
auth_debug = yes
mail_debug = yes
verbose_ssl = yes
/etc/dovecot/10-logging.conf

Thanks for the atention.

2

This is my postfix main.cf file which i have just been playing around with in order to reduce spam and stop backscatter. You certainly need to add to smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated

N.B. I am far form being an expert in Postifx configuration but this works for me and reduced the amount of spam I was getting from over 100 a day to less than 10.

You may wish to take a look a these which I found useful.

https://www.pantz.org/software/postfix/

https://www.webstershome.co.uk/2014/04/07/postfix-blocking-spam-enters-server/

biff = no command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_name = mail.domain.co.uk smtpd_banner = ESMTP $mail_name smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtp_use_tls = yes smtpd_tls_auth_only = no smtp_tls_note_starttls_offer = yes smtpd_use_tls = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s myhostname = server.domain.co.uk mydomain = server.domain.co.uk inet_protocols = all inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost, server.domain.co.uk unknown_local_recipient_reject_code = 550 mynetworks = 127.0.0.0/8, etc #run postconf -d to get this mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME bounce_size_limit = 2000 message_size_limit = 40960000 header_size_limit = 402400 maximal_queue_lifetime = 1d bounce_queue_lifetime = 1d smtpd_helo_required = yes disable_vrfy_command = yes smtpd_delay_reject = yes smtpd_error_sleep_time = 10 smtpd_soft_error_limit = 20 smtpd_hard_error_limit = 20 smtpd_junk_command_limit = 20 strict_rfc821_envelopes = yes show_user_unknown_table_name = no debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.6.6/samples readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES

virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
home_mailbox = Maildir/

2bounce_notice_recipient = postmaster@domain.co.uk
error_notice_recipient = postmaster@domain.co.uk
bounce_notice_recipient = postmaster@domain.co.uk

header_checks = regexp:/etc/postfix/header_checks
#body_checks = regexp:/etc/postfix/body_checks

Reject codes

access_map_reject_code = 554
defer_code = 554
invalid_hostname_reject_code = 554
maps_rbl_reject_code = 554
non_fqdn_reject_code = 554
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

SMTP Restrictions

smtpd_client_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
check_client_access regexp:/etc/postfix/client_restrictions,
reject_unknown_client

smtpd_helo_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
check_helo_access regexp:/etc/postfix/helo.regexp,
warn_if_reject reject_invalid_hostname,
permit

smtpd_etrn_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
reject

smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_address,
permit

smtpd_recipient_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
check_client_access regexp:/etc/postfix/client_restrictions,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
reject_unauth_destination,
reject_multi_recipient_bounce,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unknown_client,
warn_if_reject reject_unknown_hostname,
reject_unauth_pipelining,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client zen.spamhaus.org,
permit

smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit

smtpd_timeout = 300s
smtp_destination_rate_delay = 1s
smtpd_tls_cert_file = /etc/letsencrypt/live/domain.co.uk/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/domain.co.uk/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/domain.co.uk/fullchain.pem
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

/etc/postfix/header_checks and /etc/postfix/helo.regexp and /etc/postfix/client_restrictions

See https://www.pantz.org/software/postfix/

In some other Postfix configurations I saw this being used as one of the RBL lists enablerbl:dnsbl.sorbs.net. However on this list google is blacklisted and has been apparently for 8 years !!! The regex in client_restrictions should overcome this but I didn’t have time to fully test yet. Make sure the checks in smtpd_recipient_restrictions are before the reject_rbl_client lines

Also check /etc/postfix/virtual as I had catchall email addresses going to BOUNCE which I removed after which you need to run

postmap /etc/postfix/virtual service postfix restart
3

Thanks for your atention.

Is too much to ask you your master.cf and dovecot conf?

O will check that tomorrow and update here.

4

Hi

Hope this helps.

master.cf

# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== my.ip.add.ress:smtp inet n - n - 200 smtpd -o smtpd_sasl_auth_enable=yes my.ip.add.ress:submission inet n - n - - smtpd -o smtpd_tls_security_level=may -o tls_preempt_cipherlist=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # #maildrop unix - n n - - pipe # flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # # ==================================================================== # # The Cyrus deliver program has changed incompatibly, multiple times. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # #uucp unix - n n - - pipe # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # ==================================================================== # # Other external delivery methods. # #ifmail unix - n n - - pipe # flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) # #bsmtp unix - n n - - pipe # flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # #scalemail-backend unix - n n - 2 pipe # flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store # ${nexthop} ${user} ${extension} # #mailman unix - n n - - pipe # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user} #submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes 127.0.0.1:smtp inet n - n - 200 smtpd -o smtpd_sasl_auth_enable=yes 127.0.0.1:submission inet n - n - - smtpd

dovcot.conf

## Dovecot configuration file

If you’re in a hurry, see http://wiki.dovecot.org/QuickConfiguration

“doveconf -n” command gives a clean output of the changed settings. Use it

instead of copy&pasting files when posting to the Dovecot mailing list.

‘#’ character and everything after it is treated as comments. Extra spaces

and tabs are ignored. If you want to use either of these explicitly, put the

value inside quotes, eg.: key = "# char and trailing whitespace "

Default values are shown for each setting, it’s not required to uncomment

those. These are exceptions to this though: No sections (e.g. namespace {})

or plugin settings are added by default, they’re listed only as examples.

Paths are also just examples with the real defaults being based on configure

options. The paths listed here are for configure --prefix=/usr

–sysconfdir=/etc --localstatedir=/var

Protocols we want to be serving.

#protocols = imap pop3 lmtp
#protocols = imap pop3 imaps pop3s
protocols = imap pop3

A comma separated list of IPs or hosts where to listen in for connections.

“*” listens in all IPv4 interfaces, “::” listens in all IPv6 interfaces.

If you want to specify non-default ports or anything more complex,

edit conf.d/master.conf.

#listen = *, ::

Base directory where to store runtime data.

#base_dir = /var/run/dovecot/

Greeting message for clients.

#login_greeting = Dovecot ready.

Space separated list of trusted network ranges. Connections from these

IPs are allowed to override their IP addresses and ports (for logging and

for authentication checks). disable_plaintext_auth is also ignored for

these networks. Typically you’d specify your IMAP proxy servers here.

#login_trusted_networks =

Sepace separated list of login access check sockets (e.g. tcpwrap)

#login_access_sockets =

Show more verbose process titles (in ps). Currently shows user name and

IP address. Useful for seeing who are actually using the IMAP processes

(eg. shared mailboxes or if same uid is used for multiple accounts).

#verbose_proctitle = no

Should all processes be killed when Dovecot master process shuts down.

Setting this to “no” means that Dovecot can be upgraded without

forcing existing client connections to close (although that could also be

a problem if the upgrade is e.g. because of a security fix).

#shutdown_clients = yes

If non-zero, run mail commands via this many connections to doveadm server,

instead of running them directly in the same process.

#doveadm_worker_count = 0

UNIX socket or host:port used for connecting to doveadm server

#doveadm_socket_path = doveadm-server

Dictionary server settings

Dictionary can be used to store key=value lists. This is used by several

plugins. The dictionary can be accessed either directly or though a

dictionary server. The following dict block maps dictionary names to URIs

when the server is used. These can then be referenced using URIs in format

“proxy::”.

dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}

Most of the actual configuration gets included below. The filenames are

first sorted by their ASCII value and parsed in that order. The 00-prefixes

in filenames are intended to make it easier to understand the ordering.

!include conf.d/*.conf

A config file can also tried to be included without giving an error if

it’s not found:

#!include_try /etc/dovecot/local.conf
#ssl_ca_file = /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem
ssl_ca = </etc/letsencrypt/live/mydomain.co.uk/fullchain.pem
#ssl_verify_client_cert=yes