1

Topic: fatal: no SASL authentication mechanisms

==== Required information ====
- iRedMail version: 8.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): ldap
- Linux/BSD distribution name and version: centos 6.3
- Related log if you're reporting an issue:
====

maillog
Oct 18 00:58:45 a postfix/smtpd[17145]: initializing the server-side TLS engine
Oct 18 00:58:45 a postfix/smtpd[17145]: connect from 157.sub-70-197-6.myvzw.com[70.197.6.157]
Oct 18 00:58:47 a postfix/smtpd[17145]: setting up TLS connection from 157.sub-70-197-6.myvzw.com[70.197.6.157]
Oct 18 00:58:47 a postfix/smtpd[17145]: 157.sub-70-197-6.myvzw.com[70.197.6.157]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:before/accept initialization
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:SSLv3 read client hello B
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:SSLv3 write server hello A
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:SSLv3 write certificate A
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:SSLv3 write key exchange A
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:SSLv3 write server done A
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:SSLv3 flush data
Oct 18 00:58:51 a postfix/smtpd[17145]: SSL_accept:SSLv3 read client key exchange A
Oct 18 00:58:51 a postfix/smtpd[17145]: SSL_accept:SSLv3 read finished A
Oct 18 00:58:51 a postfix/smtpd[17145]: SSL_accept:SSLv3 write session ticket A
Oct 18 00:58:51 a postfix/smtpd[17145]: SSL_accept:SSLv3 write change cipher spec A
Oct 18 00:58:51 a postfix/smtpd[17145]: SSL_accept:SSLv3 write finished A
Oct 18 00:58:51 a postfix/smtpd[17145]: SSL_accept:SSLv3 flush data
Oct 18 00:58:51 a postfix/smtpd[17145]: Anonymous TLS connection established from 157.sub-70-197-6.myvzw.com[70.197.6.157]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
Oct 18 00:58:52 a postfix/smtpd[17145]: fatal: no SASL authentication mechanisms
Oct 18 00:58:53 a postfix/master[17071]: warning: process /usr/libexec/postfix/smtpd pid 17145 exit status 1
Oct 18 00:58:53 a postfix/master[17071]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling


---------------------------------------

Issue:  I am also using this irekdmail server for a vpn and web hosting.  In migrating my services over it seems I have messed up some cofiguration.  I cannot seem to authenticate to the server.  The settings on thunderbird are the same as when it worked.  Startssl and plain login.  Ports are open and from the maillog I am establishing a connnection however no SASL mechanisms can be found.

Where to go from here?

2

Re: fatal: no SASL authentication mechanisms

rww4ired wrote:

==== Required information ====
- iRedMail version: 8.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): ldap
- Linux/BSD distribution name and version: centos 6.3
- Related log if you're reporting an issue:
====

maillog
Oct 18 00:58:45 a postfix/smtpd[17145]: initializing the server-side TLS engine
Oct 18 00:58:45 a postfix/smtpd[17145]: connect from 157.sub-70-197-6.myvzw.com[70.197.6.157]
Oct 18 00:58:47 a postfix/smtpd[17145]: setting up TLS connection from 157.sub-70-197-6.myvzw.com[70.197.6.157]
Oct 18 00:58:47 a postfix/smtpd[17145]: 157.sub-70-197-6.myvzw.com[70.197.6.157]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:before/accept initialization
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:SSLv3 read client hello B
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:SSLv3 write server hello A
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:SSLv3 write certificate A
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:SSLv3 write key exchange A
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:SSLv3 write server done A
Oct 18 00:58:47 a postfix/smtpd[17145]: SSL_accept:SSLv3 flush data
Oct 18 00:58:51 a postfix/smtpd[17145]: SSL_accept:SSLv3 read client key exchange A
Oct 18 00:58:51 a postfix/smtpd[17145]: SSL_accept:SSLv3 read finished A
Oct 18 00:58:51 a postfix/smtpd[17145]: SSL_accept:SSLv3 write session ticket A
Oct 18 00:58:51 a postfix/smtpd[17145]: SSL_accept:SSLv3 write change cipher spec A
Oct 18 00:58:51 a postfix/smtpd[17145]: SSL_accept:SSLv3 write finished A
Oct 18 00:58:51 a postfix/smtpd[17145]: SSL_accept:SSLv3 flush data
Oct 18 00:58:51 a postfix/smtpd[17145]: Anonymous TLS connection established from 157.sub-70-197-6.myvzw.com[70.197.6.157]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
Oct 18 00:58:52 a postfix/smtpd[17145]: fatal: no SASL authentication mechanisms
Oct 18 00:58:53 a postfix/master[17071]: warning: process /usr/libexec/postfix/smtpd pid 17145 exit status 1
Oct 18 00:58:53 a postfix/master[17071]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling


---------------------------------------

Issue:  I am also using this irekdmail server for a vpn and web hosting.  In migrating my services over it seems I have messed up some cofiguration.  I cannot seem to authenticate to the server.  The settings on thunderbird are the same as when it worked.  Startssl and plain login.  Ports are open and from the maillog I am establishing a connnection however no SASL mechanisms can be found.

Where to go from here?

I increased the debug level in main.cf by:
smtpd_tls_loglevel = 4

Here is the output when I try to sendmail from postmaster

Oct 18 14:59:30 a postfix/smtpd[28977]: initializing the server-side TLS engine
Oct 18 14:59:30 a postfix/smtpd[28977]: connect from localhost[127.0.0.1]
Oct 18 14:59:30 a postfix/smtpd[28977]: fatal: no SASL authentication mechanisms
Oct 18 14:59:31 a roundcube: SMTP Error: SMTP error: Connection failed: Invalid response code received from server in /var/www/roundcubemail-0.8.1/program/include/main.inc on line 1485 (POST /mail/?_unlock=loading1350586770722&_lang=undefined?_task=mail&_action=send)
Oct 18 14:59:31 a postfix/master[28904]: warning: process /usr/libexec/postfix/smtpd pid 28977 exit status 1
Oct 18 14:59:31 a postfix/master[28904]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling


Here is the relevant portions of the postfix main.cf file

reject_unlisted_sender = yes
transport_maps = proxy:ldap:/etc/postfix/ldap/transport_maps_user.cf, proxy:ldap:/etc/postfix/ldap/transport_maps_domain.cf
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/virtual_alias_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_members_maps.cf, proxy:ldap:/etc/postfix/ldap/catchall_maps.cf
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf
sender_bcc_maps = proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_domain.cf
recipient_bcc_maps = proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_domain.cf
relay_domains = $mydestination, proxy:ldap:/etc/postfix/ldap/relay_domains.cf
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap/sender_login_maps.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = localhost
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous noplaintext
smtpd_sasl_authenticated_header = no
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_recipient_domain reject_non_fqdn_sender reject_non_fqdn_recipient reject_unlisted_recipient check_policy_service inet:127.0.0.1:7777 reject_unauth_destination reject_non_fqdn_helo_hostname reject_invalid_helo_hostname check_policy_service inet:127.0.0.1:10031 permit_inet_interfaces check_relay_domains
smtpd_tls_security_level = may
smtpd_tls_loglevel = 4
smtpd_tls_key_file = /etc/pki/tls/private/mail.dejure.us.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.dejure.us.crt
smtpd_tls_CAfile = /etc/pki/tls/certs/ca.crt
tls_random_source = dev:/dev/urandom
# Uncomment below line to enable policyd sender throttle.
#smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10032
mailbox_command = /usr/libexec/dovecot/deliver
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = ./private/dovecot-auth
content_filter = smtp-amavis:[127.0.0.1]:10024
smtp-amavis_destination_recipient_limit = 1

3

Re: fatal: no SASL authentication mechanisms

rww4ired wrote:

smtpd_sasl_path = ./private/dovecot-auth

It should be ./dovecot-auth instead.

If it still doesn't work, please paste output message of command "postconf -n" here.

4

Re: fatal: no SASL authentication mechanisms

Made the changes you suggested and restarted postfix, dovecot, and ldap.
Same error messages in the log etc. Here is the out put of postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = dejure.us
myhostname = mail.dejure.us
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = dejure.us
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_bcc_maps = proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:ldap:/etc/postfix/ldap/relay_domains.cf
relay_recipient_maps = proxy:ldap:/etc/postfix/ldap/relay_domains.cf
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_domain.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_recipient_domain reject_non_fqdn_sender reject_non_fqdn_recipient reject_unlisted_recipient check_policy_service inet:127.0.0.1:7777 reject_unauth_destination reject_non_fqdn_helo_hostname reject_invalid_helo_hostname check_policy_service inet:127.0.0.1:10031 permit_inet_interfaces check_relay_domains
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = localhost
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous noplaintext
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/pki/tls/certs/ca.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.dejure.us.crt
smtpd_tls_key_file = /etc/pki/tls/private/mail.dejure.us.key
smtpd_tls_loglevel = 4
smtpd_tls_security_level = may
soft_bounce = yes
tls_random_source = dev:/dev/urandom
transport_maps = proxy:ldap:/etc/postfix/ldap/transport_maps_user.cf, proxy:ldap:/etc/postfix/ldap/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/virtual_alias_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_members_maps.cf, proxy:ldap:/etc/postfix/ldap/catchall_maps.cf
virtual_gid_maps = static:501
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf
virtual_minimum_uid = 501
virtual_transport = dovecot
virtual_uid_maps = static:501

5

Re: fatal: no SASL authentication mechanisms

rww4ired wrote:

smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_recipient_domain reject_non_fqdn_sender reject_non_fqdn_recipient reject_unlisted_recipient check_policy_service inet:127.0.0.1:7777 reject_unauth_destination reject_non_fqdn_helo_hostname reject_invalid_helo_hostname check_policy_service inet:127.0.0.1:10031 permit_inet_interfaces check_relay_domains

Default value of smtpd_recipient_restrictions in iRedMail on CentOS 6 should be:

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, chck_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031

And other two parameters:

smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous

Could you please paste output of command "dovecot -n" to help troubleshoot?

6

Re: fatal: no SASL authentication mechanisms

mail still wont go through.

output of dovecot -n

# 2.0.18: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.9.1.el6.x86_64 x86_64 CentOS release 6.3 (Final)
auth_mechanisms = PLAIN LOGIN
dict {
  acl = mysql:/etc/dovecot/dovecot-share-folder.conf
  expire = db:/var/lib/dovecot/expire/expire.db
  quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
disable_plaintext_auth = no
first_valid_uid = 501
last_valid_uid = 501
listen = *
log_path = /var/log/dovecot.log
mail_debug = yes
mail_gid = 501
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
mail_uid = 501
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace {
  inbox = yes
  location =
  prefix =
  separator = /
  type = private
}
namespace {
  list = children
  location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
  prefix = Shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  auth_socket_path = /var/run/dovecot/auth-master
  autocreate = INBOX
  autocreate2 = Sent
  autocreate3 = Trash
  autocreate4 = Drafts
  autocreate5 = Junk
  autosubscribe = INBOX
  autosubscribe2 = Sent
  autosubscribe3 = Trash
  autosubscribe4 = Drafts
  autosubscribe5 = Junk
  expire = Trash 7 Trash/* 7 Junk 30
  expire_dict = proxy::expire
  quota = dict:user::proxy::quotadict
  quota_rule = *:storage=1G
  quota_warning = storage=85%% quota-warning 85 %u
  quota_warning2 = storage=90%% quota-warning 90 %u
  quota_warning3 = storage=95%% quota-warning 95 %u
  sieve = /%Lh/sieve/dovecot.sieve
  sieve_dir = /%Lh/sieve
  sieve_global_dir = /var/vmail/sieve
  sieve_global_path = /var/vmail/sieve/dovecot.sieve
}
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/dovecot-auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-master {
    group = vmail
    mode = 0666
    user = vmail
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service dict {
  unix_listener dict {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service quota-warning {
  executable = script /usr/local/bin/dovecot-quota-warning.sh
  unix_listener quota-warning {
    group = vmail
    mode = 0660
    user = vmail
  }
}
ssl_ca = </etc/pki/tls/certs/ca.crt
ssl_cert = </etc/pki/tls/certs/mail.dejure.us.crt
ssl_key = </etc/pki/tls/private/mail.dejure.us.key
userdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  lda_mailbox_autocreate = yes
  log_path = /var/log/sieve.log
  mail_plugins = quota sieve autocreate
  postmaster_address = root
}
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  mail_plugins = quota imap_quota autocreate
}
protocol pop3 {
  mail_plugins = quota
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}

7

Re: fatal: no SASL authentication mechanisms

I cannot find error in Dovecot config. Any related log in Dovecot log file (/var/log/dovecot.log, /var/log/sieve.log)?

8

Re: fatal: no SASL authentication mechanisms

I am getting multiple errors that range from amavisd dead but locked to weird dns problems.  I think that I need to do a new install.