SASL authentication failure after updating 20.04 to Ubuntu 22.04

I’m getting lots of errors with postfix after upgrading Ubuntu from 20.04 to 22.04:

Aug 16 18:51:24 fish postfix/submission/smtpd[4542]: connect from mail-pj1-f49.google.com[209.85.216.49]
Aug 16 18:51:24 fish postfix/submission/smtpd[4542]: warning: connect to Milter service inet:localhost:8891: Connection refused
Aug 16 18:51:24 fish postfix/submission/smtpd[4542]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Aug 16 18:51:24 fish postfix/submission/smtpd[4542]: warning: SASL authentication failure: Password verification failed
Aug 16 18:51:24 fish postfix/submission/smtpd[4542]: warning: mail-pj1-f49.google.com[209.85.216.49]: SASL PLAIN authentication failed: generic failure
Aug 16 18:51:24 fish postfix/submission/smtpd[4542]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:
Aug 16 18:51:24 fish postfix/submission/smtpd[4542]: lost connection after AUTH from mail-pj1-f49.google.com[209.85.216.49]

Here’s my postconf -n output:

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
compatibility_level = 2
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
milter_default_action = accept
mydestination = $myhostname, fish.myhostname.com, localhost.myhostname.com, , localhost
myhostname = fish.myhostname.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:8891
policyd-spf_time_limit = 3600s
readme_directory = no
recipient_delimiter = +
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_helo_required = yes
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_policy_service unix:private/policyd-spf, reject_rbl_client b.barracudacentral.org, reject_rbl_client sbl.spamhaus.org
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
tls_server_sni_maps = hash:/etc/postfix/sni_map
virtual_alias_maps = hash:/etc/postfix/virtual

The solution was to add the following at the bottom of /etc/default/saslauthd

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
PARAMS="-m /var/spool/postfix/var/run/saslauthd"

Now I just need to figure out why authentication is now failing whereas it was previously working:

Aug 16 19:51:51 fish postfix/smtpd[7723]: disconnect from mail-qt1-f182.google.com[209.85.160.182] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Aug 16 19:51:51 fish postfix/submission/smtpd[7733]: connect from mail-pf1-f177.google.com[209.85.210.177]
Aug 16 19:51:54 fish postfix/submission/smtpd[7733]: warning: SASL authentication failure: Password verification failed
Aug 16 19:51:54 fish postfix/submission/smtpd[7733]: warning: mail-pf1-f177.google.com[209.85.210.177]: SASL PLAIN authentication failed: authentication failure
Aug 16 19:51:54 fish postfix/submission/smtpd[7733]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:
Aug 16 19:51:54 fish postfix/submission/smtpd[7733]: lost connection after AUTH from mail-pf1-f177.google.com[209.85.210.177]
Aug 16 19:51:54 fish postfix/submission/smtpd[7733]: disconnect from mail-pf1-f177.google.com[209.85.210.177] ehlo=2 starttls=1 auth=0/1 commands=3/4

Maybe it has to do with the “TLS library problem” warning above.

Does saslauthd run? Test with sudo systemctl status saslauthd
If not it could be that a line with ‘START=yes’ is missing in /etc/default/saslauthd
See https://forum.virtualmin.com/t/cannot-login-email-in-outlook/116009/35?u=hansm

@HansM Yes, it was running. The problem was the OPTIONS setting.

Did this not exist in the /etc/default/saslauthd by default?

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

I can see that PARAMS line might help but the OPTIONS is a duplicate from what I see on some 20.04.x instances.
I have commented out both & saslauthd still works just fine with the initial default OPTIONS line.

The default file is:

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/run/saslauthd"

Weird. Either way I’m glad you figured it out.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.