Postfix SASL authentication failed – Internal authentication error

postfixsasl

I've recently had to change SMTP relays from Cablevision to Verizon. Verizon blocks port 25 but they will accept SSL via port 465 (per this). I've used this and this to have stunnnel forward postfix's data to port 465.

Unfortunately, my mail is not making it out. I am receive the following errors in mail.log:

Sep  8 15:16:25 DServ postfix/qmgr[6178]: A9EF9480429: from=<mark.kasson@docsmit.com>, size=545, nrcpt=1 (queue active)
Sep  8 15:16:25 DServ postfix/smtp[6777]: A9EF9480429: to=<markkasson@gmail.com>, relay=127.0.0.1[127.0.0.1]:12345, delay=231428, delays=231428/0.01/0.4/0, dsn=4.7.0, status=deferred (SASL authentication failed; server 127.0.0.1[127.0.0.1] said: 500 5.7.0 Unknown AUTH error -1 (Internal authentication error).)

Dovecot issues messages, however, none of them seem to be error messages. I have also seen the following:

Sep  8 17:26:26 DServ postfix/error[7112]: D0B944801A9: to=<mkasson@sigmgt.com>, relay=none, delay=197679, delays=197679/0.01/0/0.03, dsn=4.7.0, status=deferred (delivery temporarily suspended: SASL authentication failed; server 127.0.0.1[127.0.0.1] said: 500 5.7.0 Unknown AUTH error -1 (Internal authentication error).)

in my main.cf, I have:

relayhost = [127.0.0.1]:12345
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

in /etc/postfix/sasl_passwd I have

[127.0.0.1]:12345 MYUSERNAME@verizon.net:MYPASSWORD

I have run:

sudo postmap hash:/etc/postfix/sasl_passwd
sudo service postfix restart

If I telnet localhost 12345, I can reach the verizon server.

Any help would be greatly appreciated! Thank you.

EDIT
Per Costin below, I ran openssl and got:

CONNECTED(00000003)
3073435324:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

It looks like it's complaining about unknown protocol. I'm not sure where to take it from here.

ADDITION
The succussful telnet transcript:

telnet localhost 12345
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 vms173023pub.verizon.net -- Server ESMTP (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009))
EHLO verizon.net
250-vms173023pub.verizon.net
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-DSN
250-ENHANCEDSTATUSCODES
250-HELP
250-XLOOP 80E3E78D42E6EE2FDAB2C28EB1AA64CD
250-AUTH DIGEST-MD5 PLAIN LOGIN CRAM-MD5
250-AUTH=LOGIN PLAIN
250-ETRN
250-NO-SOLICITING
250 SIZE 20971520
AUTH LOGIN
334 VXNlcm5hbWU6
MYUSERNAME-IN-64
334 UGFzc3dvcmQ6
MYPASSWORD-IN-64
235 2.7.0 LOGIN authentication successful.

Best Answer

I brought someone in and, after a bit of examination and testing, we added smtp_sasl_mechanism_filter = login to main.cf. That cleared it up.

He explained it forces postfix to do the AUTH LOGIN (that I was doing manually while testing through telnet). smtp_sasl_mechanism_filter doc

I watched with tail -F /var/log/mail.log and the emails were going out. mailq runs showed a shrinking queue and it was good.

Thanks, all!

P.S. Three more notes:

1) I removed smtp_sasl_security_options = noanonymous. This may have been in the right direction, but it didn't get it done.

2) I didn't need to use smtp_generic_maps.

One of the articles had used both of these (and Costin suggested smtp_sasl_security_options as well).

3) This article was helpful in showing how to get Base64 password for manually logging in with telnet with perl -MMIME::Base64 -e 'print encode_base64("john\@example.com\0john\@example.com\0password")';

Related Solutions

Ubuntu – postfix smtps issue

Have you checked the file permissions for

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Are these files being created?

What happens if you temporarily disable those lines?

Also try increasing the log level to 3 or 4.

EDIT: These are additional lines I added to master.cf (postfix 2.5.1):

# TLS stuff
smtps     inet  n       -       y       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
submission inet n       -       y       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
scache    unix  -       -       n       -       1       scache
discard   unix  -       -       n       -       -       discard
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
retry     unix  -       -       n       -       -       error
proxywrite unix -       -       n       -       1       proxymap

Postfix smtp_get: EOF

I can't see your problem. Your server (whatever it is, but it is not Postfix) announces 250-AUTH CRAM-MD5 DIGEST-MD5 LOGIN PLAIN. Allowing all the given authentication methods. And when Outlook tries to send the password as DIGEST-MD5 encrypted, your authentication server rejects this (password or method). So Outlook tries the next possibility to send it as AUTH LOGIN which succeeds. Outlook Express directly uses AUTH LOGIN because of the 250-AUTH=LOGIN. This is a workaround for the buggy Outlook Express.

Then your filter rejects the mail because it is misconfigured as it can't find the program(s) or files needed to scan the mail (550 Content Rejected; sh: From:: command not found)

This is not a Postfix problem at all. Nor is it a problem of Outlook or Outlook Express.

Best Answer

Related Solutions

Ubuntu – postfix smtps issue

Postfix smtp_get: EOF

Related Topic