What is wrong in my Postfix Dovecot sasl configuration?

Question

I configured postfix and dovecot as specified in http://www.postfix.org/SASL_README.html#server_dovecot_comm description to activate sasl authentication.

Unfortunately postfix rejects every connections with the following error showing in the log

postfix/smtpd[5238]: fatal: no SASL authentication mechanisms

I'm using Ubuntu LTS 10.04.

Googling around I saw many people reporting this obscure error without describing a clear diagnostic. It is not clear if the problem is on dovecot side or postfix side.

UPDATE: postfix sasl configuration obtained with postconf | grep -e "^smtpd.*sasl"

smtpd_recipient_restrictions = 
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_client_access hash:/etc/postfix/access,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client korea.services.net
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks = 
smtpd_sasl_local_domain = 
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot

When trying to connect wit telnet localhost 25 the connection is immediately closed with the above message. Commenting out smtpd_sasl_auth_enable = yes disables sasl and connection completes normally.

Dovecot configuration obtained with dovecot -n

# 1.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-41-generic i686 Ubuntu 10.04.4 LTS 
log_timestamp: %Y-%m-%d %H:%M:%S 
protocols: imaps
ssl_cert_file: /home/xxxx/cacert/xxxx.net/server.crt
ssl_key_file: /home/xxxx/cacert/xxxx.net/server.key
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mail_privileged_group: mail
mail_location: maildir:~/Maildir
mbox_write_locks: fcntl dotlock
auth default:
  mechanisms: plain login
  passdb:
    driver: pam
  userdb:
    driver: passwd
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: postfix

Real values hidden with xxxx

root@xxxx:/etc/postfix# stat /var/spool/postfix/private/auth 
  File: «/var/spool/postfix/private/auth»
  Size: 0           Blocks: 0          IO Block: 4096   socket
Device: 801h/2049d  Inode: 6817165     Links: 1
Access: (0660/srw-rw----)  Uid: (  111/ postfix)   Gid: (  120/ postfix)
Access: 2012-08-10 16:47:06.000000000 +0200
Modify: 2012-08-10 16:46:09.000000000 +0200
Change: 2012-08-10 16:46:09.000000000 +0200

UPDATE: the error is removed if I change smtpd_tls_auth_only = no to smtpd_tls_auth_only = yes. Now I can receive mail to local mailbox from remote hosts.

I have to configure my MUA to connect with STARTTLS to be able to connect. If I try to connect with SSL/TLS the connections hangs. With STARTTLS, the connection is established, but as anonymous and thus mail relay is rejected which is what I wanted to enable. Here is what I see in syslog.

postfix/smtpd[7715]: connect from unknown[192.168.2.17]
postfix/smtpd[7715]: setting up TLS connection from unknown[192.168.2.17]
postfix/smtpd[7715]: Anonymous TLS connection established from unknown[192.168.2.17]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

UPDATE dovecot auth_debug output when trying to relay mail through postfix server. This is probably a postfix configuration problem.

postfix/smtpd[8186]: connect from unknown[192.168.2.17]
postfix/smtpd[8186]: setting up TLS connection from unknown[192.168.2.17]
postfix/smtpd[8186]: Anonymous TLS connection established from unknown[192.168.2.17]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
dovecot: auth(default): new auth connection: pid=8186
dovecot: auth(default): client in: AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=192.168.2.3#011rip=192.168.2.17#011secured#011resp=<hidden>
home dovecot: auth-worker(default): pam(yyyy,192.168.2.17): lookup service=dovecot
home dovecot: auth-worker(default): pam(yyyy,192.168.2.17): #1/1 style=1 msg=Password: 
home dovecot: auth(default): client out: OK#0111#011user=yyyy
postfix/smtpd[8186]: NOQUEUE: reject: RCPT from unknown[192.168.2.17]: 554 5.7.1 <wwww@zzzz.com>: Relay access denied; from=<yyyy@xxxx.net> to=<wwww@zzzz.com> proto=ESMTP helo=<[192.168.2.17]>
postfix/smtpd[8186]: disconnect from unknown[192.168.2.17]

This means that postfix properly communicates with dovecot and I assume that authentication works since dovecot returns Ok at the end of its transaction.

Sending to a local account works and my MUA uses TLS as expected. Thus the only problem left is allowing relay for authenticated users. I thought that

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

would be enough after reading the postfix documentation.

SOLUTION: When commenting out the smtpd_sender_restriction parameter relay was possible. I found it by commenting out suspicious arguments one by one. I don't know what might be blocking mail relay in it.

smtpd_sender_restrictions =
    permit_mynetworks,
    reject_sender_login_mismatch,
    reject_unauth_destination,
    reject_unauth_pipelining,
    reject_unknown_sender_domain
   regexp:/etc/postfix/forbid_from

Answer 1

We can probably troubleshoot this with a few questions:

• Is dovecot running?
• Can you authenticate to it with an IMAP/POP client?
• Is there a socket available at /var/spool/postfix/private/auth?
• Is the socket readable/writeable by the postfix user?

If the answer to any of these questions is 'No', we have found your problem. If the answers are all 'Yes', please post doveconf -n

Answer 2

I solved the problem myself.

The parameter causing the relay to fail is

smtpd_sender_restrictions = ..., reject_unauth_destination, ...

Once removed, relay was possible for sasl authenticated users.