Postfix and smtp-auth with saslauthd will not work

mw040621

After trying a couple of days I am not able to send emails via saslauthd.
I found a thread here, but this was not helpfull. Then I tryed the debian install script where also Postfix with saslauthd is configured, but also, some small changes did not help.

My system is a Debian 12 and I installed with the documentation. After installing, it worked well, I could send emails internally. After that, I want to configure Postfix more secure and add opendkim and connect a mailclient via smtp to send e-mails.

But always, in /var/log/mail.log there is the error message:
warning: SASL authentication failure: Password verification failed
warning: dyndsl-080-228-208-174.ewe-ip-backbone.de[80.228.208.174]: SASL PLAIN authentication failed: authentication failure, sasl_username=mawe@tamaly.de

after changeing the master.cf to
submission inet n - y - - smtpd
the error message change one time to
NOQUEUE: reject: RCPT from dyndsl-080-228-208-174.ewe-ip-backbone.de[80.228.208.174]: 554 5.7.1 mawe@tama-concept.de: Relay access denied; from=mawe@tamaly.de to=mawe@tama-concept.de proto=ESMTP helo=<fedora1.tamaly.de>

I can´t find my mistake. It would be great, if there is anyone who can help me.

Thanks in advance
Marco

--------

Here my configuration:
/etc/pam.d/
#%PAM-1.0
auth required pam_gromox.so service=smtp
account required pam_permit.so

/etc/default/saslauthd
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS="" # also with 127.0.0.1 it did not work
THREADS=5 # also with 0 it did not work
OPTIONS="-r -c -m /var/spool/postfix/var/run/saslauthd"

/etc/postfix/main.cf [only the in my eyes relevant lines]

TLS parameters

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtpd_milters = inet:localhost:12345
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = TLSv1.2, TLSv1.3, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_protocols = TLSv1.2, TLSv1.3, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3

non_smtpd_milters = inet:localhost:12345
milter_protocol = 6
milter_default_action = accept

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated, defer_unauth_destination
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

#smtp_sasl_path = smtpd
smtp_sasl_path = /etc/postfix/sasl

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /etc/postfix/sasl
broken_sasl_auth_clients = yes

cyrus_sasl_config_path = /etc/postfix/sasl

myhostname = mail3.tamaly.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $myhostname
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_alias_maps = mysql:/etc/postfix/g-alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/g-virt.cf
virtual_transport = smtp:[localhost]:24
smtpd_sasl_local_domain = $myhostname

smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

/etc/postfix/master.cf
smtp inet n - y - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

ophion

HI
Did you ever get this working?
We're stuck in a similar spot, trying to send mails via smtp, also on a vanilla Debian 12.
So far we always end up with an authentication_failure.

Thanks
Markus

mw040621

ophion
Hi,
I am very sorry, but I could not resolve this with a "manual" installation at Debian 12.
After this I found in this forum a link to an installscript, who install everything and Postfix.
With this it works.

Here are my running Postfix configuration:
I deleted the comment-lines, hope you can handle it. If you need more, feel free to ask.

/etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 3.6
smtpd_tls_cert_file = /etc/grommunio-common/ssl/server-bundle.pem
smtpd_tls_key_file = /etc/grommunio-common/ssl/server.key
smtpd_tls_security_level = may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.waveline.marketing
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost, $myhostname, mail3.tamaly.de, localhost.tamaly.de, localhost, mail.waveline.marketing, localhost.waveline.marketing
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
milter_protocol = 6
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_use_tls = yes
virtual_transport = smtp:[::1]:24
virtual_alias_maps = mysql:/etc/postfix/grommunio-virtual-mailbox-alias-maps.cf
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unknown_recipient_domain,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unauth_destination,reject_unauth_pipelining
smtpd_sender_restrictions = reject_non_fqdn_sender,permit_sasl_authenticated,permit_mynetworks
virtual_mailbox_domains = mysql:/etc/postfix/grommunio-virtual-mailbox-domains.cf
smtpd_sasl_security_options = noanonymous
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_auth_only = no
smtpd_sasl_auth_enable = yes
smtpd_tls_received_header = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname
smtpd_sasl_local_domain = $myhostname
milter_default_action = accept
broken_sasl_auth_clients = yes
virtual_mailbox_maps = mysql:/etc/postfix/grommunio-virtual-mailbox-maps.cf
smtpd_data_restrictions = reject_unauth_pipelining
cyrus_sasl_config_path = /etc/postfix/sasl
#Anpassung opendkim
smtpd_milters = inet:localhost:11332, inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

/etc/postfix/master.cf

smtp inet n - y - - smtpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd

maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

crpb

mw040621 After this I found in this forum a link to an installscript, who install everything and Postfix.

ophion

Most of the configuration is done here
https://github.com/eryx12o45/grommunio-setup/blob/9ea5d83d31a3bb81cedab6150d94462dbea15bc4/grommunio-setup#L1086-L1140

Just search for "postfix" in the script for references.

current thread: https://community.grommunio.com/d/1166-debian-bookworm-12-grommunio-setup
old thread: https://community.grommunio.com/d/447-debian-11-clean-install-script