postfix and dovecot issues

tony33

Active Member

Reaction score: 4
Messages: 131

here's the log errors:

Code:
Feb 17 20:03:08 tony33server1 postfix/smtpd[32841]: Anonymous TLS connection established from (my ipaddress) : TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 17 20:03:18 tony33server1 postfix/smtpd[32841]: fatal: no SASL authentication mechanisms
Feb 17 20:03:19 tony33server1 postfix/master[2202]: warning: process /usr/local/libexec/postfix/smtpd pid 32841 exit status 1
Feb 17 20:03:19 tony33server1 postfix/master[2202]: warning: /usr/local/libexec/postfix/smtpd: bad command startup -- throttling
Feb 17 20:18:28 tony33server1 postfix[34109]: Postfix is running with backwards-compatible default settings
Feb 17 20:18:28 tony33server1 postfix[34109]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Feb 17 20:18:28 tony33server1 postfix[34109]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34162]: warning: group or other writable: /usr/local/etc/postfix/./mysql_relay_domains_maps.cf
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34163]: warning: group or other writable: /usr/local/etc/postfix/./mysql_virtual_alias_maps.cf
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34164]: warning: group or other writable: /usr/local/etc/postfix/./mysql_virtual_domains_maps.cf
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34165]: warning: group or other writable: /usr/local/etc/postfix/./mysql_virtual_lookup.cf
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34166]: warning: group or other writable: /usr/local/etc/postfix/./mysql_virtual_mailbox_limit_maps.cf
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34167]: warning: group or other writable: /usr/local/etc/postfix/./mysql_virtual_mailbox_maps.cf
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34168]: warning: group or other writable: /usr/local/etc/postfix/./transport
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34169]: warning: group or other writable: /usr/local/etc/postfix/./transport.db
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34171]: warning: not owned by postfix: /var/db/postfix/./master.lock
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34172]: warning: not owned by postfix: /var/db/postfix/./prng_exch
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34174]: warning: group or other writable: /var/db/postfix/./master.lock
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34175]: warning: group or other writable: /var/db/postfix/./prng_exch
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34187]: warning: /var/spool/postfix/etc/resolv.conf and /etc/resolv.conf differ


I would like to know what I can do to figure out what the issue is. My postfix is setup to use dovecot. I know the warning group or other writable are permission issues.
I would like to know if this would cause a fatal:SASL auth mechanism? I do have sasl auth mechanisms configured in the config file.
If someone could give me some commands I should run to get a better picture of what might be going wrong. sasalauthd is running. I checked and so is dovecot and postfix.
I would appreciate the help thanks guys.
 

trev

Aspiring Daemon

Reaction score: 244
Messages: 956

The warning messages are telling you what is wrong. Fix those permissions (+ ownership) where indicated.
 

msplsh

Well-Known Member

Reaction score: 131
Messages: 406

Dovecot is probably vending the SASL, so more information may be in there. The last time I set this up, I have notes that /usr/local/etc/sasldb* needs to be group mail readable and postfix needs to be in the mail group.

Only the last five warnings are definitely wrong and you should fix the permissions. The others may be wrong.
 
OP
tony33

tony33

Active Member

Reaction score: 4
Messages: 131

The warning messages are telling you what is wrong. Fix those permissions (+ ownership) where indicated.
yeah I understood that. I am trying to figure out if that's the reason for the error message : "fatal: no SASL authentication mechanisms "
because thats what is shown first before the other errors and I think the permission issues aren't causing the "fatal: no SASL authentication mechanisms" error.

My main question is what's causing the "fatal: no SASL authentication mechanisms" error?
 

anlashok

Member

Reaction score: 31
Messages: 65

That is symptomatic of Postfix not being able to access what you have configured as the SASL provider. This could be that Dovecot isn't running, or is using a different directory for its authentication compared with what you have configured in Postfix

Check your dovecot.conf, and the postfix config for smtpd_sasl_auth_path=/your_path, they should both be using the same location.

this thread might help
 

Machiaveli

Member

Reaction score: 7
Messages: 31

I would like to know what I can do to figure out what the issue is. My postfix is setup to use dovecot. I know the warning group or other writable are permission issues.
I would like to know if this would cause a fatal:SASL auth mechanism? I do have sasl auth mechanisms configured in the config file.
If someone could give me some commands I should run to get a better picture of what might be going wrong. sasalauthd is running. I checked and so is dovecot and postfix.
I would appreciate the help thanks guys.
You don't need an external SASL daemon running as dovecot does (since version >=1.0) provide an SASL authentication facility according your postfix has been built with dovecot's SASL authentication service (check with postconf -a)

Both postfix and dovecot are having incredible documentation up to date and accurate on how things work.
 
OP
tony33

tony33

Active Member

Reaction score: 4
Messages: 131

You don't need an external SASL daemon running as dovecot does (since version >=1.0) provide an SASL authentication facility according your postfix has been built with dovecot's SASL authentication service (check with postconf -a)

Both postfix and dovecot are having incredible documentation up to date and accurate on how things work.
Yes that command
Code:
 postconf -a 
spits out this: dovecot.

should my config be setup like the one you linked at me? My setup used to work with plain text. I setup the system to use plaintext login but used mysql as a database for domains and user accounts. I then wanted the data encrypted for additional security so I config the server to use ssl /tls following a tutorial online but it never really showed if I had to do anything for mysql to lookup users and domain names that the mail server would be used for.

I would like to know how to setup postfix and dovecot to use ssl and TLS. Why is it complaining about fatal: no SASL authentication mechanisms ?

do note that postfix and dovecot has been updated to use the latest version. So, I don't know when it spits out if it's using an old dovecot version.
I will check my configs today and today I plan on fixing those permission issues.
 

msplsh

Well-Known Member

Reaction score: 131
Messages: 406

If you didn't do anything to figure out how to setup passdb and userdb on Dovecot, you're going to be in trouble. Setting up mail is a giant pain in the reading-the-docs. If you expect your mail setup to use MySQL and didn't configure a password_query, user_query, or iterate_query in Dovecot (This is not a complete list of the config variables necessary for a working configuration) and/or didn't create a table that those queries reference, it's just not going to work. SASL won't even have anything to query if this isn't configured.

I went and looked at how I have SASL set up... I make no claims to suitability or fit for purpose.


Postfix:
Code:
smtpd_sasl_type = dovecot
# relative to $queue_directory
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes


Dovecot:
Code:
service auth {
unix_listener /var/spool/postfix/private/auth {
    path = /var/spool/postfix/private/auth
    user = postfix
    group = group_both_dovecot_and_postfix_belong to
    mode = 0660
  }
}
 

Machiaveli

Member

Reaction score: 7
Messages: 31

Yes that command
Code:
 postconf -a 
spits out this: dovecot.

should my config be setup like the one you linked at me?

Your setup should stick to what dovecot and postfix documentation explain.
@msplsh postfix's main.cf configuration snippet is what you need to have postfix makes use of dovecot's sasl facility (through the auth socket).

You can omit
Code:
smtpd_sasl_auth_enable = yes
if your postfix does not serve as a relay host of another MTA.

To this snippet you can increase security by using
Code:
smtpd_sender_login_maps
(this will enforce sasl users to the MAIL FROM envelope header they're using). But first make your sasl configuration working.

As for the dovecot part, @msplsh configuration snippet is the right one to set up an sasl authentication socket that postfix will use to allow sasl authenticated client to submit emails to the MSA (submission and/or smtps postfix subprocesses defined in postfix's master.cf).

My setup used to work with plain text. I setup the system to use plaintext login but used mysql as a database for domains and user accounts. I then wanted the data encrypted for additional security so I config the server to use ssl /tls following a tutorial online but it never really showed if I had to do anything for mysql to lookup users and domain names that the mail server would be used for.
Plain text login is ok as long as sasl authenticated clients does connect either via STARTTLS (submission on port 587) or better via SSL (smtps on port 465).
Client's passwords are anyway hashed by default with CRAM-MD5 by dovecot when stored (on an SQL database or plain text file). You may switch to a more secure hash scheme though (blowfish is great and is by default using 5 rounds of salting by dovecot).

Configuring dovecot to use an SQL database is done at several level on dovecot's configuration.

#1 Via a passdb with an sql driver and queries to retrieve datas:
Code:
passdb {
driver = sql
args = /path_to_an_sql_query_statement
}


#2 Via a dict service for proxying SQL lookups:
Code:
service dict {
unix_listener = dict {
mode = 0660
user = <mail_user>
group = <mail_group>
}
}


# 3 Via a userdb prefetching:
Code:
userdb {
driver = prefetch
}

userdb {
driver = sql
args = /path_to_an_sql_query_statement
}


I would like to know how to setup postfix and dovecot to use ssl and TLS. Why is it complaining about fatal: no SASL authentication mechanisms ?
postfix spits out this error because it can't find any sasl authentication mechanisms (be it a socket or a TCP inet port).
SASL authentication mechanisms are made available by an external daemon (an MDA or a lone sasl daemon).

Dovecot as an MDA (Mail Delivery Agent) can create and make available such a socket.

As for securing your email chain with SSL/TLS, this is done both at MTA level (postfix), MSA level (postfix's submission and/or smtps subprocess) and MDA level (dovecot in your case).

In main.cf (for postfix smtpd process: for inbound connections from another MTAs):
Code:
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_log_level = 1
smtpd_tls_chain_files = <path_to_your_certificate_private_key> <path_to_your_certicate_fullchain>
# If your smtpd does have virtual domains, use this:
tls_server_sni_maps = <path_to_a_map_for_virtual_domains_if_any>


In main.cf (for postfix smtp process: for outbound connections to remote MTAs):
Code:
smtp_tls_session_cache_database = btree:$data_directory/smtp_cache
smtp_tls_security_level = may
smtp_tls_loglevel = 1


In master.cf (for postfix submission process: for STARTTLS inbound connections from sasl authenticated clients):
Code:
smtpd_tls_security_level=encrypt


In master.cf (for postfix smtps process: for SSL inbound connections from sasl authenticated clients):
Code:
smtpd_tls_wrappermode=yes


For dovecot:
Code:
ssl_dh=</path_to_dovecot_diffie_hellman_exchange_keys_certificate

# Serving up IMAP facilities to remote clients (both STARTTLS and SSL connections)
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}

# Make use of our TLS certificate
ssl_cert = </path_to_your_certificate_fullchain>
ssl_key = </path_to_your_certificate_private_key>


do note that postfix and dovecot has been updated to use the latest version. So, I don't know when it spits out if it's using an old dovecot version.
I will check my configs today and today I plan on fixing those permission issues.
Thats the first thing to do: fixing up permissions. Then configure dovecot to serve an sasl authentication socket, then enforcing TLS/SSL at MTA (postfix smtpd/smtp processes), MSA (postfix submission/smtps subprocesses) and MDA (dovecot) levels.

Setting up a complete mail exchanger is not a trivial thing and I highly recommend subscribing to dovecot and postfix mailing lists to got reviews of your configuration and ask for advices on how to achieve a secure mail chain.
 

Jose

Aspiring Daemon

Reaction score: 489
Messages: 646

Plain text login is ok as long as sasl authenticated clients does connect either via STARTTLS (submission on port 587) or better via SSL (smtps on port 465).
Be aware that the situation here is kind of a mess

I use, and will continue to use port 465 until it stops working, mainly out of spite. I hate bureaucratic cat fights.
 

Machiaveli

Member

Reaction score: 7
Messages: 31

Be aware that the situation here is kind of a mess
Yep, RFC8314 has been discussed on postfix-users mailing list a while ago and the current consensus made by posters on this list is to use SSL wrappermode for every submission on port 465/TCP for now (hence postfix's files and documentation still uses "smtps" to define SSL submission to a MSA).

We're currently in a fuzzy mess where STARTTLS via 587/TCP is so widely used and known by users that 465/TCP cames back in front of the scene just to not messed up habits.

But things will change sooner or later and 587/TCP will become "submissions" (whereas the final "s" means encrypted submission as opposed to STARTTLS regular "submission").

I use, and will continue to use port 465 until it stops working, mainly out of spite. I hate bureaucratic cat fights.
That's the best thing to do at this moment, until users habits are changing from STARTTLS to SSL/TLS.

Join in the postfix-users mailing list to stay tune about this.
 
Top