Day: 22 February 2017

Postfix SMTP Auth Error “no SASL authentication mechanisms”

I have been setting up a new mail server recently with Postfix and SMTP Auth, and got the error message “no SASL authentication mechanisms”.

If you have enabled SMTP Auth with Postfix like this:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_destination

and are getting messages like this (the extract below is from the mail log file):

Nov  2 15:31:09 vps131 postfix/smtpd[14007]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Nov  2 15:31:09 vps131 postfix/smtpd[14007]: warning: xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms
Nov  2 15:31:09 vps131 postfix/smtpd[14007]: fatal: no SASL authentication mechanisms
Nov  2 15:31:10 vps131 postfix/master[12004]: warning: process /usr/libexec/postfix/smtpd pid 14007 exit status 1
Nov  2 15:31:10 vps131 postfix/master[12004]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

then you need to install the cyrus-sasl-plain package like so:

yum install cyrus-sasl-plain

The above method will install the cyrus-sasl-plain packages on CentOS and other RPM/Yum based Linux distributions, so you would need to use the appropriate package manager (and software package) for other Linux distros.

  • Also make sure the SASAUTHD is running on your system

# systemctl status saslauthd

# systemctl start saslauthd

# systemctl enable saslauthd

NOTES :

# SASL CONFIGURATION
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated
#

You may verified your email server security score here:

http://www.emailsecuritygrader.com

Here is a part of my /etc/postfix/main.cf

# Sender restrictions
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
#
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket,
permit
# Postfix AntiSpam Configuration
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
#
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated
#
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
#
smtpd_enforce_tls = yes
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
# Experimental
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd

🙂

Configure PostFIX to use TLS – CentOS7

This is an optional feature you don’t need to do to get everything working but if you want a secure setup you should do this. TLS will allow you to setup an SSL encrypted connection between the server and the mail client. This means that the authentication that is used will be send encrypted over the internet while the normal authentication will be send in clear text over the internet making it possible for others to read.

First you need to buy yourself a certificate at Thawte or Verisign, but as we are building a server on the cheap we are going to create our own certificate. The only problem you will encounter when using your own certificates is that users explicitly have to accept and verify your root certificate in contrast with certificates you buy which are already accepted in most email clients by default. If they for instance try to send their email for the first time via your secure server they need to accept your certificate. When using Mail.app in OS X they will get the following warning:

They need to press continue and from then on your certificate will be accepted and they won’t be asked again.

Just open a Terminal and execute the following command in the directory /etc/postfix:

sudo openssl req -new -outform PEM -out smtpd.cert \
   -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM \
   -days 365 -x509

This will create a 2048 bit encryption key that, for now, is secure enough for you mailserver to use. If you are paranoid and want a bigger key just increase the number after rsa:. The key will be valid for a year, if you want a longer period just increase the number after the -days option. When the key is finished you will be asked a couple of questions you need to answer. The information will be shown to people who want to see your certificate when their mail client complains. The most important one is the ‘Common Name’, make sure that that one is the same as the mail server name.

Country Name (2 letter code) [CA]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:your.mailserver.tld
Email Address []:you@yourdomain.tld

Now you have created the certificate you will have to configure Postfix to make use of it and to enforce the usage of TLS to securely communicate with the email client. You’ll have to add the following lines to the configuration file main.cf in /etc/postfix :

smtpd_enforce_tls                = no
smtpd_tls_loglevel               = 1
smtpd_use_tls                    = yes
smtpd_tls_key_file               = /etc/postfix/smtpd.key
smtpd_tls_cert_file              = /etc/postfix/smtpd.cert

Issue the command sudo postfix reload to refresh the configuration of your mail server and your ready to test it out. Start a terminal session and issue the following commands:

telnet your.mailserver.tld 25

The server will answer with:

Trying your.mailserver.tld...
Connected to your.mailserver.tld.
Escape character is ^]
220 your.mailserver.tld ESMTP Postfix

Then type in:

EHLO your.mailserver.tld

And again your server will answer it’s capabilities:

250-your.mailserver.tld
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250 8BITMIME

Now it’s time to test TLS and enter in capitals:

STARTTLS

and the server should respond with:

220 Ready to start TLS

Then you know it will work, you could give your favorite email client a try.

Restart postfix : systemctl restart postfix

NOTES:

After this fix, roundcube cannot send email anymore, investigating this!