0

I am transferring MTA to newer servers running Ubuntu 20.04 LTS. SMTPS is working well thus permitting clients to send mails after authentication. However, when sending mails from remote MTAs for local delivery postfix is failing due to fatal: no SASL authentication mechanisms.

Dec 28 12:22:03 smtp postfix/smtpd[63402]: connect from unknown[1.2.3.4]
Dec 28 12:22:03 smtp postfix/smtpd[63402]: warning: xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms
Dec 28 12:22:03 smtp postfix/smtpd[63402]: fatal: no SASL authentication mechanisms
Dec 28 12:22:04 smtp postfix/master[63342]: warning: process /usr/lib/postfix/sbin/smtpd pid 63402 exit status 1
Dec 28 12:22:04 smtp postfix/master[63342]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling

There are existing questions here regarding similar issues. But this time it's different:

  • SASL is working fine, authenticating against LDAP directory via saslauthd. So, there is no missing plugin installation for SASL.
  • Authentication works well when connecting via SMTPS. It's just failing on regular SMTP port 25.

When testing SMTP connectivity with netcat, the connection is closed prior to sending HELO string of server. So, I figured out this is related to smtpd_client_restrictions in /etc/postfix/main.cf:

smtpd_client_restrictions =
        permit_sasl_authenticated
        # postgrey:
        check_policy_service inet:localhost:10023

This is required to prevent outgoing mails of authenticated senders from being subject to greylisting.

On behalf of /etc/postfix/main.cf SASL is configured like this:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes

The lines 2 and 3 here are required to prevent plaintext logins in unencrypted SMTP, but accept it after client has started TLS via STARTTLS or in case of client connecting via SMTPS. I see the STARTTLS scenario could be dropped to force all authentication go through TLS-encrypted SMTPS and I could enable SASL via master.cf for SMTPS, only. But existing users aren't meant to adjust their setup at all.

Thomas Urban
  • 202
  • 2
  • 10

2 Answers2

0

As far as I can tell the issue is due to

smtpd_sasl_security_options = noanonymous,noplaintext

in combination with SASL authenticating against LDAP-directory via saslauthd. This is causing PLAIN and LOGIN being only available login methods. They are both disabled due to noplaintext here. I want postfix not to offer any authentication when there are no SASL methods available.

For testing purposes I was able to fix this by adding another login method in /etc/postfix/sasl2/smtpd.conf:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN CRAM-MD5

This way, SMTP was accepting incoming connections on SMTP for remote MTAs. However, this is not a solution for now there is a login method actual clients would pick for authentication though it isn't expected to ever succeed. See http://www.postfix.org/SASL_README.html for additional information on setting up Cyrus SASL for use with saslauthd.

So, I kept searching and stumbled over another option I was obviously misreading and thus skipping on transferring the configuration: smtpd_tls_auth_only. This boolean option is controlling whether TLS is required for authentication. It is set no by default, thus causing the SASL authentication to be set up for unencrypted SMTP. After switching this option to yes in main.cf file SMTP is working well again.

Thomas Urban
  • 202
  • 2
  • 10
0

I found that the fix was uncommenting this line in the master.cf file

-o smtpd_tls_auth_only=yes
Darrell Duane
  • 101
  • 1