postfix SASL authentication failed - Internal authentication error

Question

I've recently had to change SMTP relays from Cablevision to Verizon. Verizon blocks port 25 but they will accept SSL via port 465 (per this). I've used this and this to have stunnnel forward postfix's data to port 465.

Unfortunately, my mail is not making it out. I am receive the following errors in mail.log:

Sep  8 15:16:25 DServ postfix/qmgr[6178]: A9EF9480429: from=<mark.kasson@docsmit.com>, size=545, nrcpt=1 (queue active)
Sep  8 15:16:25 DServ postfix/smtp[6777]: A9EF9480429: to=<markkasson@gmail.com>, relay=127.0.0.1[127.0.0.1]:12345, delay=231428, delays=231428/0.01/0.4/0, dsn=4.7.0, status=deferred (SASL authentication failed; server 127.0.0.1[127.0.0.1] said: 500 5.7.0 Unknown AUTH error -1 (Internal authentication error).)

Dovecot issues messages, however, none of them seem to be error messages. I have also seen the following:

Sep  8 17:26:26 DServ postfix/error[7112]: D0B944801A9: to=<mkasson@sigmgt.com>, relay=none, delay=197679, delays=197679/0.01/0/0.03, dsn=4.7.0, status=deferred (delivery temporarily suspended: SASL authentication failed; server 127.0.0.1[127.0.0.1] said: 500 5.7.0 Unknown AUTH error -1 (Internal authentication error).)

in my main.cf, I have:

relayhost = [127.0.0.1]:12345
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

in /etc/postfix/sasl_passwd I have

[127.0.0.1]:12345 MYUSERNAME@verizon.net:MYPASSWORD

I have run:

sudo postmap hash:/etc/postfix/sasl_passwd
sudo service postfix restart

If I telnet localhost 12345, I can reach the verizon server.

Any help would be greatly appreciated! Thank you.

EDIT Per Costin below, I ran openssl and got:

CONNECTED(00000003)
3073435324:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

It looks like it's complaining about unknown protocol. I'm not sure where to take it from here.

ADDITION The succussful telnet transcript:

telnet localhost 12345
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 vms173023pub.verizon.net -- Server ESMTP (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009))
EHLO verizon.net
250-vms173023pub.verizon.net
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-DSN
250-ENHANCEDSTATUSCODES
250-HELP
250-XLOOP 80E3E78D42E6EE2FDAB2C28EB1AA64CD
250-AUTH DIGEST-MD5 PLAIN LOGIN CRAM-MD5
250-AUTH=LOGIN PLAIN
250-ETRN
250-NO-SOLICITING
250 SIZE 20971520
AUTH LOGIN
334 VXNlcm5hbWU6
MYUSERNAME-IN-64
334 UGFzc3dvcmQ6
MYPASSWORD-IN-64
235 2.7.0 LOGIN authentication successful.

Could you run tcpdump on port 12345 when postfix send email? It will be useful to compare postfix SMTP transaction and manual-telnet transaction, in case postfix fail to send credential — masegaloeh, Sep 09 '14 at 04:28
masegaloeh, you were on the right track! (and thanks for the edit - I missed the spacing.) I brought in a consultant and got the solution. I'll post for others' future reference. — Mark Kasson, Sep 09 '14 at 12:56

Mark Kasson · Accepted Answer · 2014-09-09T13:15:52.830

I brought someone in and, after a bit of examination and testing, we added smtp_sasl_mechanism_filter = login to main.cf. That cleared it up.

He explained it forces postfix to do the AUTH LOGIN (that I was doing manually while testing through telnet). smtp_sasl_mechanism_filter doc

I watched with tail -F /var/log/mail.log and the emails were going out. mailq runs showed a shrinking queue and it was good.

Thanks, all!

P.S. Three more notes:

1) I removed smtp_sasl_security_options = noanonymous. This may have been in the right direction, but it didn't get it done.

2) I didn't need to use smtp_generic_maps.

One of the articles had used both of these (and Costin suggested smtp_sasl_security_options as well).

3) This article was helpful in showing how to get Base64 password for manually logging in with telnet with perl -MMIME::Base64 -e 'print encode_base64("john\@example.com\0john\@example.com\0password")';

score 0 · Answer 2 · answered Mar 10 '20 at 01:11

0

This happened when I changed the password, in order for it to work again delete the sasl_passwd.db, then reconfigure using sudo postmap /etc/postfix/sasl_passwd, then restart postfix systemctl restart postfix

answered Mar 10 '20 at 01:11

Edwin

1

1

Deleting `sasl_passwd.db` should not be necessary. `postmap` will rewrite it. – womble Mar 10 '20 at 01:59

score 0 · Answer 3 · answered Apr 11 '21 at 16:51

try this configuration for your main.cf

relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_sasl_mechanism_filter = login

assuming you have all the other configs done accordingly.

Costin Gușă · Answer 4 · 2014-09-09T18:04:46.917

0

Try to add this to your main.cf

smtp_sasl_security_options = noanonymous

then reload postfix configuration

Also after telnetting to localhost try to use steps described here to test smtp auth connectivity to verizon: http://www.ndchost.com/wiki/mail/test-smtp-auth-telnet

Replace telnet mailserver.com 25 command from the article with
telnet localhost 12345

Some howtos omit to mention that you need to have the libsasl2-modules package installed. Please check if it installed, and install it if is not.

edited Sep 09 '14 at 18:04

answered Sep 08 '14 at 23:18

Costin Gușă

293
2
13

Thanks, Costin! I'll add the output above to openssl above. – Mark Kasson Sep 09 '14 at 00:26
I'm reading up on openssl s_client. Isn't stunnel also doing the same encrypting? Double encrpyted? I connected directly to verizon port 465 with s_client, but if I go to localhost:12345 which then gets ssl'ed by stunnel, won't that mess up the communication? Sorry if I'm not understanding. – Mark Kasson Sep 09 '14 at 00:37
Thanks for the NDCHost article. I wasn't able to get logged in based on with openssl s_client (SSL Alert 40) and s3_pkt.c handshake failure), but I was able to login using telnet localhost 25 with stunnel. I'm still guessing it's postfix issue. – Mark Kasson Sep 09 '14 at 01:22
1

@MarkKasson Can you add the transcript of smtp-auth transaction where you successfully login via `telnet localhost 25` ? – masegaloeh Sep 09 '14 at 03:12
@MarkKasson oh, that's right! stunnel already performs the ssl connection, so on your side there should be an unencrypted port listening. My mind was reading "stone" instead of "stunnel", which is a raw port redirector (no encryption, just dumb redirect). I have updated the answer. I'll leave the telnet suggestion on though, could be useful to others, too. But please do try to add that option to postfix configuration. I don't remember where I have read it (man 5 postconf is a good place to start) but I always use it when I have to smpt auth to relay via a remote site. – Costin Gușă Sep 09 '14 at 03:42

postfix SASL authentication failed - Internal authentication error

4 Answers4