# Postfix error after upgrade FreeBSD 11.1 to FreeBSD 11.3: fatal: no SASL authentication mechanisms



## freemicom (Feb 1, 2020)

Hi,
did it late but I finally upgraded my mailserver from FreeBSD 11.1 to 11.3. Im running a Postfix/Dovecot/MariaDB installation with virtual users and domains. Works without any issues until I finally did the upgrade. After the upgrade from Dovecot 2.2 to 2.3 I only had to add an entry for a missing dh.pem file plus the switch from ssl_protocol to ssl_min_protocol. But now the clients no longer can connect to the server and if sending out emails fails with "fatal: no SASL authentication mechanisms". I´ve found some posts but no one seems to be related to my problem. Here is my postconf -n output:

```
biff = 0
compatibility_level = 2
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = ipv4
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
maps_rbl_domains = blackholes.mail-abuse.org, bl.spamcop.net, inputs.orbz.org, outputs.orbz.org, proxies.blackholes.easynet.nl, zombie.dnsbl.sorbs.net, cbl.abuseat.org
message_size_limit = 409600000
milter_default_action = accept
milter_protocol = 2
mydestination =
myhostname = my.server.name
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtpd_banner = my.server.name ESMTP $mail_name
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rbl_client proxies.blackholes.easynet.nl, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/usr/local/etc/postfix/helo.regexp, permit
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/my.server.name-bundle.crt
smtpd_tls_key_file = /etc/ssl/private/my.server.name.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
strict_rfc821_envelopes = yes
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
tls_ssl_options = NO_COMPRESSION
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
virtual_alias_maps = mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
```

In addition here is dovecot -n

```
# 2.3.9.2 (cf2918cac): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.9 (db4e9a2f)
# OS: FreeBSD 11.3-RELEASE-p6 amd64  zfs
# Hostname: cato.bobkiecom.de
auth_mechanisms = plain login
log_path = /var/log/dovecot.log
mail_location = maildir:/usr/local/var/vmail/%d/%n/Maildir:INDEX=/usr/local/var/vmail/%d/%n/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace {
  inbox = yes
  location =
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    auto = no
    special_use = \Sent
  }
  mailbox Spam {
    auto = no
    special_use = \Junk
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix =
  separator = /
  type = private
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocols = imap sieve lmtp
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = wheel
    mode = 0600
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
}
ssl_cert = </etc/ssl/certs/my.server.name-bundle.crt
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_options = no_compression
ssl_prefer_server_ciphers = yes
userdb {
  args = uid=vmail gid=vmail home=/usr/local/var/vmail/%d/%n
  driver = static
}
protocol lmtp {
  mail_plugins = " sieve"
}
protocol lda {
  mail_plugins = sieve
}
```

Any help is welcome.

Best regards,

Mike


----------



## obsigna (Feb 1, 2020)

Dovecot as well as Postfix by default don’t allow plaintext authentication over non-TLS connections. Now, you have set smtpd_tls_security_level = may which is really the preferred setting for incoming mails from other mail servers to your destinations. However, for mails coming in from your clients for being delivered to anywhere outside, this setting may fail in the case of the plaintext authentication mechanism. Because clients *may* choose not to use TLS.

You may want to consider to force your clients to use the submission port 587 or the smtps port 465 for submitting mails to your server, and then in /usr/local/etc/postfix/master.cf, you would set -o smtpd_tls_security_level=encrypt in the submission as well as the smtps section.

You could also configure Dovecot with disable_plaintext_auth=no and Postfix with smtp_sasl_security_options=. However, by this you would need to prevent password interception by other means.


----------

