1 (edited by aniyan.rajan6 2013-10-19 10:10:43)

Topic: no SASL authentication mechanisms

Zhang,

The apt-get dist-upgrade is successful in my server. Now if I try to send an email to my domain from gmail, I don't receive it. But I get the following in mail.log.

================================
Oct 18 16:46:23 mx postfix/smtpd[3903]: connect from mail-pb0-f41.google.com[209.85.160.41]
Oct 18 16:46:31 mx postfix/smtpd[3905]: connect from mx.mydomain.org[127.0.0.1]
Oct 18 16:46:31 mx postfix/smtpd[3906]: connect from mx.mydomain.org[127.0.0.1]
Oct 18 16:46:33 mx postfix/smtpd[3903]: fatal: no SASL authentication mechanisms
Oct 18 16:46:34 mx postfix/master[3448]: warning: process /usr/lib/postfix/smtpd pid 3903 exit status 1
Oct 18 16:46:34 mx postfix/master[3448]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
=================================

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: no SASL authentication mechanisms

*) Please make sure your Debian upgrade was successfully completed: http://www.iredmail.org/forum/post25079.html#p25079
*) Show us "postconf -n" please. But i think it's related to Dovecot config because Postfix uses Dovecot as SASL auth server.

3 (edited by aniyan.rajan6 2013-10-20 01:12:08)

Re: no SASL authentication mechanisms

ZhangHuangbin wrote:

*) Please make sure your Debian upgrade was successfully completed: http://www.iredmail.org/forum/post25079.html#p25079

Yes, it was completed successfully. Please see the following for confirmation:
# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

*) Show us "postconf -n" please. But i think it's related to Dovecot config because Postfix uses Dovecot as SASL auth server.

postconf -n follows. In some sample dovecot.conf, I have seen private/auth instead of dovecot-auth. But I think dovecot-auth is the correct one.

# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = mydomain.org
myhostname = mx.mydomain.org
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = mydomain.org
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, check_recipient_access hash:/etc/postfix/recipient_access, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10031
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

4

Re: no SASL authentication mechanisms

Zhang,

Could you please reply?

Thanks.

5

Re: no SASL authentication mechanisms

Show us output of command "dovecot -n" please. I don't think you have correct Dovecot config file after upgrading.

6

Re: no SASL authentication mechanisms

ZhangHuangbin wrote:

Show us output of command "dovecot -n" please. I don't think you have correct Dovecot config file after upgrading.


dovecot -n follows. Thanks for your help.

# dovecot -n
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.2
auth_default_realm = mydomain.org
auth_mechanisms = PLAIN LOGIN
dict {
  acl = mysql:/etc/dovecot/dovecot-share-folder.conf
  expire = db:/var/lib/dovecot/expire/expire.db
  quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
first_valid_uid = 2000
last_valid_uid = 2000
listen = *
log_path = /var/log/dovecot.log
mail_gid = 2000
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
mail_plugins = quota
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace {
  inbox = yes
  location =
  prefix =
  separator = /
  type = private
}
namespace {
  list = children
  location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
  prefix = Shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  auth_socket_path = /var/run/dovecot/auth-master
  autocreate = INBOX
  autocreate2 = Sent
  autocreate3 = Trash
  autocreate4 = Drafts
  autocreate5 = Junk
  autosubscribe = INBOX
  autosubscribe2 = Sent
  autosubscribe3 = Trash
  autosubscribe4 = Drafts
  autosubscribe5 = Junk
  expire = Trash 7 Trash/* 7 Junk 30
  expire_dict = proxy::expire
  quota = dict:user::proxy::quotadict
  quota_rule = *:storage=1G
  quota_warning = storage=85%% quota-warning 85 %u
  quota_warning2 = storage=90%% quota-warning 90 %u
  quota_warning3 = storage=95%% quota-warning 95 %u
  sieve = /%Lh/sieve/dovecot.sieve
  sieve_dir = /var/vmail/sieve/%Ld/%Ln
  sieve_global_dir = /var/vmail/sieve
  sieve_global_path = /var/vmail/sieve/dovecot.sieve
}
protocols = pop3 imap sieve
service auth {
  unix_listener /var/spool/postfix/dovecot-auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-master {
    group = vmail
    mode = 0666
    user = vmail
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service dict {
  unix_listener dict {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service imap-login {
  process_limit = 500
  service_count = 1
}
service pop3-login {
  service_count = 1
}
service quota-warning {
  executable = script /usr/local/bin/dovecot-quota-warning.sh
  unix_listener quota-warning {
    group = vmail
    mode = 0660
    user = vmail
  }
}
ssl = required
ssl_ca = /etc/ssl/certs/iRedMail_CA.pem
ssl_cert = /etc/ssl/certs/iRedMail_CA.pem
ssl_key = /etc/ssl/private/iRedMail.key
userdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  lda_mailbox_autocreate = yes
  log_path = /var/log/sieve.log
  mail_plugins = quota sieve autocreate
  postmaster_address = root
}
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  mail_plugins = quota imap_quota autocreate
}
protocol pop3 {
  mail_plugins = quota
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}

7

Re: no SASL authentication mechanisms

*) Is Dovecot service running? Any error or warning message in Dovecot log file?
*) You have correct SASL related settings in Postfix:

smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_type = dovecot

*) You have correct SASL path in Dovecot:

service auth {
  unix_listener /var/spool/postfix/dovecot-auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  …
}

8

Re: no SASL authentication mechanisms

ZhangHuangbin wrote:

*) Is Dovecot service running?

Yes.

# ps -A | grep dovecot
3190 ?        00:00:00 dovecot


ZhangHuangbin wrote:

Any error or warning message in Dovecot log file?

When I send an email from gmail.com to mydomain, dovecot.log says:

Oct 20 03:46:30 auth: Error: Can't open configuration file /etc/dovecot/dovecot-ldap.conf: No such file or directory
Oct 20 03:46:30 master: Error: service(auth): command startup failed, throttling for 60 secs
Oct 20 03:46:30 auth: Fatal: master: service(auth): child 18196 returned error 89 (Fatal failure)
Oct 20 03:47:30 auth: Error: Can't open configuration file /etc/dovecot/dovecot-ldap.conf: No such file or directory
Oct 20 03:47:30 master: Error: service(auth): command startup failed, throttling for 60 secs
Oct 20 03:47:30 auth: Fatal: master: service(auth): child 18205 returned error 89 (Fatal failure)
Oct 20 03:47:32 pop3-login: Fatal: Can't load ssl_cert: There is no valid PEM certificate. (You probably forgot '<' from ssl_cert=</etc/ssl/certs/iRedMail_CA.pem)
Oct 20 03:47:32 master: Error: service(pop3-login): command startup failed, throttling for 60 secs
Oct 20 03:48:30 auth: Error: Can't open configuration file /etc/dovecot/dovecot-ldap.conf: No such file or directory
Oct 20 03:48:30 master: Error: service(auth): command startup failed, throttling for 60 secs
Oct 20 03:48:30 auth: Fatal: master: service(auth): child 18210 returned error 89 (Fatal failure)

ZhangHuangbin wrote:

*) You have correct SASL related settings in Postfix:
*) You have correct SASL path in Dovecot:

Yes, they are correct.

9

Re: no SASL authentication mechanisms

aniyan.rajan6 wrote:

# ps -A | grep dovecot
3190 ?        00:00:00 dovecot

Managesieve listens on port 4190 by default, not 3190.

aniyan.rajan6 wrote:

When I send an email from gmail.com to mydomain, dovecot.log says:

Oct 20 03:46:30 auth: Error: Can't open configuration file /etc/dovecot/dovecot-ldap.conf: No such file or directory

Oct 20 03:47:32 pop3-login: Fatal: Can't load ssl_cert: There is no valid PEM certificate. (You probably forgot '<' from ssl_cert=</etc/ssl/certs/iRedMail_CA.pem)

Your log clearly explains why Dovecot service cannot start. Please fix them first.
Why you don't have /etc/dovecot/dovecot-ldap.conf? Where is the old one before upgrading? Find it and copy it should fix the first error.

10 (edited by aniyan.rajan6 2013-10-20 23:25:22)

Re: no SASL authentication mechanisms

ZhangHuangbin wrote:

Managesieve listens on port 4190 by default, not 3190.

Could you please tell me where to change that ?

ZhangHuangbin wrote:

Your log clearly explains why Dovecot service cannot start. Please fix them first.
Why you don't have /etc/dovecot/dovecot-ldap.conf? Where is the old one before upgrading? Find it and copy it should fix the first error.

I fixed dovecot-ldap error. Now dovecot.log shows the following error:
Oct 20 15:14:51 auth: Fatal: LDAP: No uris or hosts set
Oct 20 15:14:51 master: Error: service(auth): command startup failed, throttling for 60 secs

I checked the old and the new dovecot-ldap.conf file. The 'hosts' line is commented in both. What I should add there ?

11

Re: no SASL authentication mechanisms

I don't understand why you had this issue. You have a working Dovecot server before upgrading, then it must have a working dovecot-ldap.conf (of course it has a working "hosts" parameter). Find the old one you used before upgrading please.

12 (edited by aniyan.rajan6 2013-10-21 12:24:33)

Re: no SASL authentication mechanisms

ZhangHuangbin wrote:

I don't understand why you had this issue. You have a working Dovecot server before upgrading, then it must have a working dovecot-ldap.conf (of course it has a working "hosts" parameter). Find the old one you used before upgrading please.

Yes it was working perfectly before upgrading. But don't know which configs it was using.

I have the snapshot image of the old system (before upgrading). I have checked the entire system for dovecot-ldap.conf.

There is one in /etc/dovecot/dovecot-ldap.conf and another one in /usr/share/dovecot/dovecot-ldap.conf

Everyline inside both files are commented except the line 'base='.

I also checked the new system after upgrading. These files exist, but everything inside is commented except 'base='.

Also these files look totally different from the sample file in iRedmail package: /root/iRedMail-0.8.4/samples/dovecot/dovecot-ldap.conf. This particular file contains the following:

hosts           = PH_LDAP_SERVER_HOST:PH_LDAP_SERVER_PORT
ldap_version    = PH_LDAP_BIND_VERSION
auth_bind       = yes
dn              = PH_LDAP_BINDDN
dnpass          = PH_LDAP_BINDPW
base            = PH_LDAP_BASEDN
scope           = subtree
deref           = never

But all these parameters are commented in /etc/dovecot/dovecot-ldap.conf and  /usr/share/dovecot/dovecot-ldap.conf

I have tried using the file /root/iRedMail-0.8.4/samples/dovecot/dovecot-ldap.conf and it says that:

Error in configuration file /etc/dovecot/dovecot-ldap.conf line 2: Invalid number: PH_LDAP_BIND_VERSION
LDAP: ldap_init() failed with hosts: PH_LDAP_SERVER_HOST:PH_LDAP_SERVER_PORT

By the way, I remember during the first time installation of iRedmail in my server, I selected MySQL instead of OpenLDAP. (In the screen "Choose your preferred backend used to store mail accounts").  So why configuring LDAP now ?

13

Re: no SASL authentication mechanisms

aniyan.rajan6 wrote:

By the way, I remember during the first time installation of iRedmail in my server, I selected MySQL instead of OpenLDAP. (In the screen "Choose your preferred backend used to store mail accounts").  So why configuring LDAP now ?

You must mention this in your FIRST post. And, please always show us basic info of your iRedMail server:

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
====

If you choose MySQL during iRedMail installation, it will not install OpenLDAP for you at all. Why you use OpenLDAP after upgrading? I guess you installed a new virtual machine to get a sample working Dovecot-2 config file, and you choose OpenLDAP as backend for this virtual machine. If your old server is MySQL backend, of course you have to choose MySQL backend for this new virtual machine to get the same settings.

14

Re: no SASL authentication mechanisms

Zhang,

I got the new dovecot.conf from this url.

http://www.iredmail.org/forum/topic4493 … tos-5.html
https://bitbucket.org/zhb/iredmail/raw/ … ecot2.conf

I have made changes as you specified in the url and then upgraded Dovecot. I chose the dovecot2.conf because apt-get dist-upgrade was complaining about the old dovecot.conf settings. (pop3s, imaps, managesieve etc). Thus the ldap problems started coming.

Now what do you suggest to fix this ? I can revert the dovecot.conf file, but need to manually update it to the latest syntax and settings.

Thanks.

15

Re: no SASL authentication mechanisms

Zhang,

I have fixed this finally. I have used this config file itself (did not revert).
https://bitbucket.org/zhb/iredmail/raw/ … ecot2.conf

I have changed the following.

# Virtual mail accounts.
userdb {
    args = /etc/dovecot/dovecot-mysql.conf
    driver = sql
}
passdb {
    args = /etc/dovecot/dovecot-mysql.conf
    driver = sql
}

The problem here is that I am not able to specify driver=mysql. It shows:
Oct 21 07:05:25 auth: Fatal: Unknown passdb driver 'mysql'

But 'sql' works. Any suggestions on that ?

Thanks.

16

Re: no SASL authentication mechanisms

Do you have package 'dovecot-mysql' installed?

17

Re: no SASL authentication mechanisms

ZhangHuangbin wrote:

Do you have package 'dovecot-mysql' installed?

Yes, it is installed. Please see the confirmation.

# apt-get install dovecot-mysql
Reading package lists... Done
Building dependency tree       
Reading state information... Done
dovecot-mysql is already the newest version.
The following packages were automatically installed and are no longer required:
  libbind9-60 libboost-iostreams1.42.0 libdb4.7 libdns69 libgmp3c2 libisc62 libisccc60 libisccfg62
  libjpeg62 liblwres60 librpmio1 libssl0.9.8 libt1-5 lzma
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

18

Re: no SASL authentication mechanisms

ZhangHuangbin wrote:

Do you have package 'dovecot-mysql' installed?

Zhang,

Could you please reply ?

thanks.

19

Re: no SASL authentication mechanisms

aniyan.rajan6 wrote:

The problem here is that I am not able to specify driver=mysql. It shows:
Oct 21 07:05:25 auth: Fatal: Unknown passdb driver 'mysql'

iRedMail uses "sql" as passdb driver too.

20

Re: no SASL authentication mechanisms

okay, So the following is correct for mysql.

# Virtual mail accounts.
userdb {
    args = /etc/dovecot/dovecot-mysql.conf
    driver = sql
}
passdb {
    args = /etc/dovecot/dovecot-mysql.conf
    driver = sql
}