fatal: no SASL authentication mechanisms
in [Postfix]
|
Prev: Unknown Users
Next: Race condition in postmap?
From: Jeff Lacki on 11 Feb 2010 21:22 > >> smtpd_tls_auth_only = yes > > > Do you know what this parameter setting does? > After hours of digging into this, that particular message seems to have come up because I didnt want plaintext coming across in the smtp connection so I set: smtpd_sasl_security_options = noanonymous, noplaintext By having noplaintext I got the msg because my dovecot and SASL configs weren't setup to handle anything but plain and login, so... in /etc/dovecot.conf auth default { mechanisms = plain login digest-md5 } in smtpd.conf: pwcheck_method: saslauthd mech_list: plain login digest-md5 Adding digest-md5 solved that error message. The SASL doc didnt explain about setting up smtpd_sasl_security_options with noplaintext (afaik) in what I was reading per the mechanisms so I got lost. Im just posting this for the next guy who might have a problem. Thanks for your pointers.
From: /dev/rob0 on 11 Feb 2010 21:56 On Thu, Feb 11, 2010 at 06:22:55PM -0800, Jeff Lacki wrote: > > >> smtpd_tls_auth_only = yes > > > > > Do you know what this parameter setting does? > > After hours of digging into this, that particular message > seems to have come up because I didnt want plaintext > coming across in the smtp connection so I set: > > smtpd_sasl_security_options = noanonymous, noplaintext > > By having noplaintext I got the msg because my > dovecot and SASL configs weren't setup to handle > anything but plain and login, so... > > in /etc/dovecot.conf > auth default { > mechanisms = plain login digest-md5 > } > > in smtpd.conf: Irrelevant; that is a Cyrus SASL file. You seem to have confused Dovecot and Cyrus. Look only at the Dovecot section in the Postfix SASL_README, and you will see no mention at all of saslauthd nor Cyrus configuration files. > The SASL doc didnt explain about setting up > smtpd_sasl_security_options with noplaintext (afaik) in > what I was reading per the mechanisms so I got lost. SASL_README presents a basic setup of Dovecot SASL. Advanced Dovecot features are documented at http://wiki.dovecot.org/ . > Im just posting this for the next guy who might have > a problem. Let's hope he doesn't waste time on Cyrus, if he's wanting to use Dovecot. :) -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
From: Patrick Ben Koetter on 12 Feb 2010 02:45 * Jeff Lacki <jeep(a)rahul.net>: > > Im trying to setup SASL+TLS+dovecot. Overall Ive > gotten things somewhat working, but have a couple questions > since Im new to this aspect of postfix. > > I get 'fatal: no SASL authentication mechanisms' in maillog > I ran saslfinger and it showed no mechanisms, > > my /usr/lib/sasl2/smtpd.conf contains: > > pwcheck_method: saslauthd > mech_list: plain login Forget saslfinger for Dovecot. It was made for debugging Cyrus SASL only. Also forget /usr/lib/sasl2/smtpd.conf. It configures Cyrus SASL, but you want Dovecot SASL. You have smtpd_sasl_type = dovecot, which is correct. You also have smtpd_tls_auth_only = yes, which only let's you AUTH once a TLS connection has been established. Turn it off, while you test. Have you verified SMTP AUTH works without TLS? If you get "fatal: no SASL authentication mechanisms" then Dovecot likely doesn't export any mechanisms to Postfix. To have it do so you will have to tweak Dovecots configuration. p(a)rick > saslauthd is installed and running > > I dont think it matters, but I have what many others > said they were missing: cyrus-sasl-plain installed. > > Am I supposed to add other 'mechanisms' and if so, > how do I do so? Which packages do I add etc? > > Thanks! > > my postconf -n: > > ddress_verify_map = hash:/etc/postfix/address_verify_map > alias_maps = hash:/etc/postfix/aliases > allow_percent_hack = yes > append_at_myorigin = yes > append_dot_mydomain = yes > broken_sasl_auth_clients = yes > canonical_maps = hash:/etc/postfix/canonical > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debug_peer_level = 2 > default_transport = smtp > disable_vrfy_command = yes > empty_address_recipient = MAILER-DAEMON > header_checks = regexp:/etc/postfix/header_checks > html_directory = no > ignore_mx_lookup_error = no > in_flow_delay = 1s > inet_interfaces = all > mail_owner = postfix > mail_spool_directory = /var/spool/mail > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 15000000 > mydestination = $myhostname, localhost.$mydomain $mydomain > myhostname = mydomain.com > mynetworks = 127.0.0.0/8 > mynetworks_style = subnet > myorigin = $myhostname > newaliases_path = /usr/bin/newaliases.postfix > notify_classes = resource,software > parent_domain_matches_subdomains = > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES > relay_domains = $mynetworks > sample_directory = /usr/share/doc/postfix-2.4.5/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtp_always_send_ehlo = no > smtp_connect_timeout = 30s > smtp_data_done_timeout = 600s > smtp_data_init_timeout = 120s > smtp_data_xfer_timeout = 180s > smtp_destination_concurrency_limit = 10 > smtp_helo_timeout = 300s > smtp_mail_timeout = 300s > smtp_never_send_ehlo = no > smtp_pix_workaround_delay_time = 10s > smtp_pix_workaround_threshold_time = 500s > smtp_quit_timeout = 300s > smtp_rcpt_timeout = 300s > smtp_sasl_mechanism_filter = login > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_sasl_security_options = noanonymous > smtp_skip_5xx_greeting = yes > smtp_skip_quit_response = yes > smtp_tls_note_starttls_offer = yes > smtp_use_tls = yes > smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/client_access > smtpd_data_restrictions = reject_unauth_pipelining, permit > smtpd_hard_error_limit = 6 > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/good_clients, hash:/etc/postfix/access, hash:/etc/postfix/bad_ips, reject_unknown_helo_hostname, reject_non_fqdn_hostname, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname,reject_unknown_hostname > smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination > smtpd_restriction_classes = restrictive, permissive > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_local_domain = > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous, noplaintext > smtpd_sasl_tls_security_options = $smtpd_sasl_security_options > smtpd_sasl_type = dovecot > smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders > smtpd_sender_restrictions = reject_unknown_sender_domain > smtpd_soft_error_limit = 4 > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_session_cache_timeout = 3600s > smtpd_use_tls = yes > tls_random_source = dev:/dev/urandom > unknown_local_recipient_reject_code = 550 > unverified_recipient_reject_code = 550 > virtual_alias_domains = nim-phila.org > virtual_alias_maps = hash:/etc/postfix/virtual > > -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
From: Patrick Ben Koetter on 13 Feb 2010 07:49 * Неворотин Вадим <nevorotin(a)gmail.com>: > I have same problem. When I try to add smtpd_sasl_security_options = > noanonymous, noplaintext to my config smptd start to say FATAL ERROR))) Auth > throw dovecot, works perfectly with > > smtpd_tls_auth_only = yes > > but then I only replace it with > > smtpd_sasl_security_options = noanonymous, noplaintext > smtpd_tls_sasl_security_options = noanonymous > > SMTPD crashed. I really can't understand where is a problem. Blind guess: There are no other mechanisms installed. If that doesn't fix it, send debug output. p(a)rick
From: Jeff Lacki on 13 Feb 2010 11:16
>> smtpd_sasl_security_options = noanonymous, noplaintext >> smtpd_tls_sasl_security_options = noanonymous >> SMTPD crashed. I really can't understand where is a problem. > Blind guess: There are no other mechanisms installed. > If that doesn't fix it, send debug output. Dumb question Im sure, but how does one install other mechanisms like the ones listed in dovecot.conf: digest-md5 cram-md5 ntlm rpa apop gssapi otp skey gss-spnego Im personally interested in digest-md5 and if you have particular feelings about the others, Id like to know as well. Are these yum packages (which I tried under the names above with no luck)? Where do I acquire them? Thanks, Jeff |