Postfix not accepting SASL user auth password

21 posts / 0 new
Last post
#1 Sun, 01/10/2010 - 15:56
justinwpw

Postfix not accepting SASL user auth password

Hi

I'm trying to use my Postfix smtp server with the Thunderbird email client running from another PC over the Internet.

It connects to the mail server, requests my password but does not accept it. It keeps asking me again to enter my password. The password is correct.

Any ideas?

Thanks!

Mon, 01/11/2010 - 11:12
justinwpw

Anyone able to help on this one?

Mon, 01/11/2010 - 11:16
andreychek

Take a peek in the logs -- exactly which one depends on your distro, but start with the mail logs... /var/log/mail.log or /var/log/maillog.

Do you see any errors in there during the time you're trying to authenticate?

-Eric

Mon, 01/11/2010 - 12:12
justinwpw

Just tried to authenticate. Here's the log. Appears to be because my external IP address accessed via my router is not listed for hostname dsldevice.lan. How do I associate my external IP address with hostname dsldevice.lan?

Jan 11 18:04:59 ns1 postfix/smtpd[11021]: warning: xxx.xxx.xxx.xxx: address not listed for hostname dsldevice.lan Jan 11 18:04:59 ns1 postfix/smtpd[11021]: connect from unknown[xxx.xxx.xxx.xxx] Jan 11 18:05:05 ns1 postfix/smtpd[11021]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied Jan 11 18:05:05 ns1 postfix/smtpd[11021]: warning: SASL authentication failure: Password verification failed Jan 11 18:05:05 ns1 postfix/smtpd[11021]: warning: unknown[xxx.xxx.xxx.xxx]: SASL PLAIN authentication failed: generic failure Jan 11 18:05:05 ns1 postfix/smtpd[11021]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied Jan 11 18:05:05 ns1 postfix/smtpd[11021]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: generic failure Jan 11 18:05:06 ns1 postfix/smtpd[11021]: disconnect from unknown[xxx.xxx.xxx.xxx]

Mon, 01/11/2010 - 12:30
andreychek

Well, the issue that appears to be occurring above looks like a problem with Postfix talking to the saslauth daemon.

I've seen that occur on older Ubuntu/Debian installs (in theory, that should be corrected with the current install.sh script).

However, to resolve it, run this command as root:

usermod -a -G sasl postfix

And then restart Saslauthd:

/etc/init.d/saslauthd restart

And then give it another shot, that should do the trick!

-Eric

Mon, 01/11/2010 - 13:31
justinwpw

Thanks Eric, it works now:-)

Tue, 01/12/2010 - 02:40
justinwpw

Yes, it works for sending email from the Thunderbird client, but on downloading email, it tries to connect to the server and times out after about 20 secs.

I expect that is a separate problem to the one above. I've got some 904 short email messages in the Inbox on the server; only a total of 1.64 MB.

I'm using the SSL option for the Thunderbird settings.

Tue, 01/12/2010 - 13:02
justinwpw

I can send mail, but cannot receive mail. It tries to connect but times out.

Help required???

Tue, 01/12/2010 - 13:06
andreychek

I'd expect to see a problem like that if your ISP was blocking port 25 (which many do these days).

If that's the case, there's not much you'd be able to do to resolve that, unfortunately...

-Eric

Tue, 01/12/2010 - 13:57
justinwpw

Nope, port 25 is not blocked by my ISP. Neither is port 110. I just checked with CanYouSeeMe.org.

It's obviously something else causing the problem.

Tue, 01/12/2010 - 14:07
andreychek

Well, I guess I'm not sure I understand the problem... if clients are timing out when trying to send you a message, I'm not sure it makes sense that the canyouseeme.org site thinks you're online -- in theory, that would timeout too.

What's an example domain name you're having trouble with? (you can always mask it out later after we resolve all this)

-Eric

Tue, 01/12/2010 - 14:23 (Reply to #11)
justinwpw

Have a look at example.uk. Thanks. As I said, using Thunderbird from another PC on the same network, I can SEND emails using the mail.example.uk smtp server, but I can't receive (download) emails from the Inbox on this server. I CAN access the Inbox of this mailbox using Usermin web interface, but thats using a different method.

Tue, 01/12/2010 - 21:44 (Reply to #12)
andreychek

I'm able to connect to Dovecot on both port 110 (POP) and port 143 (IMAP) without any problems.

If you're getting timeouts connecting to those ports, it may be a network issue of some kind. Are you seeing any errors in the logs when you try?

-Eric

Wed, 01/13/2010 - 02:13 (Reply to #13)
justinwpw

It was a silly error caused by not opening a port on my NAT router. By using the SSL (port 993) setting on Thunderbird, I was able to download my emails from the server.

However, I have been experimenting with the Thunderbird settings. It seems that it will not connect if I use the TLS (port 143) setting. Yes, the port is open on my router. In Postfix, it says that I have TLS enabled for the SMTP server??? I WAS able to connect and download using the SSL setting.

But now I'm unable to connect at all through Thunderbird. Says server will not allow me to connect. Is that a security feature caused by all my experimenting? How do I override it?

Wed, 01/13/2010 - 07:54
andreychek

Hmm, well, port 143 is generally the plain text (and non-TLS) port. If Thunderbird is setup to use TLS for that port, unless there's something non-typical setup on your server, I suspect that wouldn't work.

If you disable TLS, and just use plain text to access port 143, does that work?

-Eric

Wed, 01/13/2010 - 12:25
justinwpw

Hi, after disabling TLS and deselecting TLS on the Thinderbird client, I get the following error from Thunderbird:

"You cannot login to mail.domain.co.uk because the server has disabled login. You may need to connect via SSL or TLS. Please check the account settings for your mail server."

These are my settings in Postfix:

Module Index SMTP Authentication And Encryption

SMTP Authentication And Encryption Enable SASL SMTP authentication? Yes Handle non-compliant SMTP clients? Yes SMTP security options Reject anonymous logins Yes Reject plain-text logins No SMTP relaying restrictions Allow connections from same network Yes Allow connections from this system No Reject clients with no reverse hostname NO Allow authenticated clients Yes Reject email to other domains Yes Allow only relay domains No Allow domains this system is a backup MX for No Delay clients with failed logins? Yes Enable TLS encryption? Yes TLS certificate file Yes TLS private key file Yes TLS certificate authority file None

Wed, 01/13/2010 - 12:09
andreychek

It sounds like "disable_plaintext_auth" may be set to "yes".

Open up /etc/dovecot/dovecot.conf, and make sure that disable_plaintext_auth is set to "no", then restart Dovecot.

-Eric

Wed, 01/13/2010 - 12:11
justinwpw

It may or may not be relevant, but I have the following under SMTP Server Options:

Restrictions on recipient addresses: permit_mynetworks permit_sasl_authenticated myorigin = $mydomain reject_unauth_destination

I'm not sure about the myorigin = $mydomain, because I am operating a virtual server environment with Virtualmin. I remember that myorigin = $mydomain had to be taken out of the Postfix main.cf file to get Postfix to work with the virtual servers.

Wed, 01/13/2010 - 12:19
justinwpw

In dovecot.conf, I have:

Disable LOGIN command and all other plaintext authentications unless SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP matches the local IP (ie. you're connecting from the same computer), the connection is considered secure and plaintext authentication is allowed. disable_plaintext_auth = yes

So, it is not set to yes.

Wed, 01/13/2010 - 12:26
andreychek

Well, I believe it defaults to use unless told otherwise.

Try explicitly setting it to "no".

-Eric

Wed, 01/13/2010 - 12:40
justinwpw

I've found another clue. I disabled the antivirus mail scanner. Now, when using settings for TLS, I get follwoing error:

"Unable to connect to smtp server mail.domain.co.uk via STARTTLS since it doesn;t offer STARTTLS in EHLO response"

I had to disable the antivirus because of another error - it did not support TLS scanning.

I will try your above suggestion also.

Incidentally, I'm unable to mask out the above reference to my mail server domain (in # Posted: Tue, 2010-01-12 20:23). No edit option available - can you do it?

This is turning into a long thread!