# postfix and dovecot issues



## tony33 (Feb 18, 2021)

here's the log errors:


```
Feb 17 20:03:08 tony33server1 postfix/smtpd[32841]: Anonymous TLS connection established from (my ipaddress) : TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 17 20:03:18 tony33server1 postfix/smtpd[32841]: fatal: no SASL authentication mechanisms
Feb 17 20:03:19 tony33server1 postfix/master[2202]: warning: process /usr/local/libexec/postfix/smtpd pid 32841 exit status 1
Feb 17 20:03:19 tony33server1 postfix/master[2202]: warning: /usr/local/libexec/postfix/smtpd: bad command startup -- throttling
Feb 17 20:18:28 tony33server1 postfix[34109]: Postfix is running with backwards-compatible default settings
Feb 17 20:18:28 tony33server1 postfix[34109]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Feb 17 20:18:28 tony33server1 postfix[34109]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34162]: warning: group or other writable: /usr/local/etc/postfix/./mysql_relay_domains_maps.cf
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34163]: warning: group or other writable: /usr/local/etc/postfix/./mysql_virtual_alias_maps.cf
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34164]: warning: group or other writable: /usr/local/etc/postfix/./mysql_virtual_domains_maps.cf
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34165]: warning: group or other writable: /usr/local/etc/postfix/./mysql_virtual_lookup.cf
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34166]: warning: group or other writable: /usr/local/etc/postfix/./mysql_virtual_mailbox_limit_maps.cf
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34167]: warning: group or other writable: /usr/local/etc/postfix/./mysql_virtual_mailbox_maps.cf
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34168]: warning: group or other writable: /usr/local/etc/postfix/./transport
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34169]: warning: group or other writable: /usr/local/etc/postfix/./transport.db
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34171]: warning: not owned by postfix: /var/db/postfix/./master.lock
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34172]: warning: not owned by postfix: /var/db/postfix/./prng_exch
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34174]: warning: group or other writable: /var/db/postfix/./master.lock
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34175]: warning: group or other writable: /var/db/postfix/./prng_exch
Feb 17 20:18:29 tony33server1 postfix/postfix-script[34187]: warning: /var/spool/postfix/etc/resolv.conf and /etc/resolv.conf differ
```

I would like to know what  I can do to figure out what the issue is. My postfix is setup to use dovecot.  I know the warning group or other writable are permission issues.
I would like to know if this would cause a fatal:SASL auth mechanism?  I do have sasl auth mechanisms configured in the config file. 
If someone could give me some commands I should run to get  a better picture of what might be going wrong.  sasalauthd is running. I checked and so is dovecot and postfix.
I would appreciate  the help thanks guys.


----------



## trev (Feb 18, 2021)

The warning messages are telling you what is wrong. Fix those permissions (+ ownership) where indicated.


----------



## msplsh (Feb 18, 2021)

Dovecot is probably vending the SASL, so more information may be in there.  The last time I set this up, I have notes that /usr/local/etc/sasldb* needs to be group mail readable and postfix needs to be in the mail group.

Only the last five warnings are definitely wrong and you should fix the permissions.  The others _may_ be wrong.


----------



## tony33 (Feb 18, 2021)

trev said:


> The warning messages are telling you what is wrong. Fix those permissions (+ ownership) where indicated.


yeah I understood that. I am trying to figure out if that's the reason for the error message : "fatal: no SASL authentication mechanisms "
because thats what is shown first before the other errors and I think the permission issues aren't causing the  "fatal: no SASL authentication mechanisms" error. 

My main question is what's causing the "fatal: no SASL authentication mechanisms"  error?


----------



## anlashok (Feb 18, 2021)

That is symptomatic of Postfix not being able to access what you have configured as the SASL provider. This could be that Dovecot isn't running, or is using a different directory for its authentication compared with what you have configured in Postfix

Check your dovecot.conf, and the postfix config for smtpd_sasl_auth_path=/your_path, they should both be using the same location. 

this thread might help


----------



## Machiaveli (Feb 21, 2021)

tony33 said:


> I would like to know what  I can do to figure out what the issue is. My postfix is setup to use dovecot.  I know the warning group or other writable are permission issues.
> I would like to know if this would cause a fatal:SASL auth mechanism?  I do have sasl auth mechanisms configured in the config file.
> If someone could give me some commands I should run to get  a better picture of what might be going wrong.  sasalauthd is running. I checked and so is dovecot and postfix.
> I would appreciate  the help thanks guys.


You don't need an external SASL daemon running as dovecot *does* (since version >=1.0) provide an SASL authentication facility according your postfix has been built with dovecot's SASL authentication service (check with `postconf -a`)

Both postfix and dovecot are having incredible documentation up to date and accurate on how things work.


----------



## tony33 (Feb 25, 2021)

Machiaveli said:


> You don't need an external SASL daemon running as dovecot *does* (since version >=1.0) provide an SASL authentication facility according your postfix has been built with dovecot's SASL authentication service (check with `postconf -a`)
> 
> Both postfix and dovecot are having incredible documentation up to date and accurate on how things work.


Yes that command  
	
	



```
postconf -a
```
 spits out this: dovecot.

should my config be setup like the one you linked at me?  My setup used to work with plain text. I setup the system to use plaintext login but used mysql as a database for domains and user accounts. I then wanted the data encrypted for additional security so I config the server  to use ssl /tls  following a tutorial online but it never really showed if I had to do anything for mysql to lookup users and domain names that the mail server would be used for. 

I would like to know how to setup postfix and dovecot to use ssl and TLS.  Why is it  complaining about fatal: no SASL authentication mechanisms ?  

do note that postfix and dovecot has been updated to use the latest version.  So,  I don't know when it spits out if it's  using an old dovecot version. 
I will check my configs today and today I plan on fixing those permission issues.


----------



## msplsh (Feb 25, 2021)

If you didn't do anything to figure out how to setup passdb and userdb on Dovecot, you're going to be in trouble.  Setting up mail is a giant pain in the reading-the-docs.  If you _expect_ your mail setup to use MySQL and didn't configure a password_query, user_query, or iterate_query in Dovecot (This is *not* a complete list of the config variables _necessary_ for a working configuration) *and/or* didn't create a table that those queries reference, it's just not going to work.  SASL won't even have anything to query if this isn't configured.

I went and looked at how I have SASL set up...  I make no claims to suitability or fit for purpose.


Postfix:

```
smtpd_sasl_type = dovecot
# relative to $queue_directory
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
```

Dovecot:

```
service auth {
unix_listener /var/spool/postfix/private/auth {
    path = /var/spool/postfix/private/auth
    user = postfix
    group = group_both_dovecot_and_postfix_belong to
    mode = 0660
  }
}
```


----------



## Machiaveli (Feb 27, 2021)

tony33 said:


> Yes that command
> 
> 
> 
> ...



Your setup should stick to what dovecot and postfix documentation explain.
@*msplsh* postfix's main.cf configuration snippet is what you need to have postfix makes use of dovecot's sasl facility (through the auth socket).

You can omit 
	
	



```
smtpd_sasl_auth_enable = yes
```
 if your postfix does not serve as a relay host of another MTA.

To this snippet you can increase security by using 
	
	



```
smtpd_sender_login_maps
```
 (this will enforce sasl users to the MAIL FROM envelope header they're using). But first make your sasl configuration working.

As for the dovecot part, @*msplsh* configuration snippet is the right one to set up an sasl authentication socket that postfix will use to allow sasl authenticated client to submit emails to the MSA (submission and/or smtps postfix subprocesses defined in postfix's master.cf).



tony33 said:


> My setup used to work with plain text. I setup the system to use plaintext login but used mysql as a database for domains and user accounts. I then wanted the data encrypted for additional security so I config the server  to use ssl /tls  following a tutorial online but it never really showed if I had to do anything for mysql to lookup users and domain names that the mail server would be used for.


Plain text login is ok as long as sasl authenticated clients does connect either via STARTTLS (submission on port 587) or better via SSL (smtps on port 465).
Client's passwords are anyway hashed by default with CRAM-MD5 by dovecot when stored (on an SQL database or plain text file). You may switch to a more secure hash scheme though (blowfish is great and is by default using 5 rounds of salting by dovecot).

Configuring dovecot to use an SQL database is done at several level on dovecot's configuration.

#1 Via a passdb with an sql driver and queries to retrieve datas:

```
passdb {
driver = sql
args = /path_to_an_sql_query_statement
}
```

#2 Via a dict service for proxying SQL lookups:

```
service dict {
unix_listener = dict {
mode = 0660
user = <mail_user>
group = <mail_group>
}
}
```

# 3 Via a userdb prefetching:

```
userdb {
driver = prefetch
}

userdb {
driver = sql
args = /path_to_an_sql_query_statement
}
```



tony33 said:


> I would like to know how to setup postfix and dovecot to use ssl and TLS.  Why is it  complaining about fatal: no SASL authentication mechanisms ?


postfix spits out this error because it can't find any sasl authentication mechanisms (be it a socket or a TCP inet port).
SASL authentication mechanisms are made available by an external daemon (an MDA or a lone sasl daemon).

Dovecot as an MDA (Mail Delivery Agent) can create and make available such a socket.

As for securing your email chain with SSL/TLS, this is done both at MTA level (postfix), MSA level (postfix's submission and/or smtps subprocess) and MDA level (dovecot in your case).

In main.cf (for postfix smtpd process: for inbound connections from another MTAs):

```
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_log_level = 1
smtpd_tls_chain_files = <path_to_your_certificate_private_key> <path_to_your_certicate_fullchain>
# If your smtpd does have virtual domains, use this:
tls_server_sni_maps = <path_to_a_map_for_virtual_domains_if_any>
```

In main.cf (for postfix smtp process: for outbound connections to remote MTAs):

```
smtp_tls_session_cache_database = btree:$data_directory/smtp_cache
smtp_tls_security_level = may
smtp_tls_loglevel = 1
```

In master.cf (for postfix submission process: for STARTTLS inbound connections from sasl authenticated clients):

```
smtpd_tls_security_level=encrypt
```

In master.cf (for postfix smtps process: for SSL inbound connections from sasl authenticated clients):

```
smtpd_tls_wrappermode=yes
```

For dovecot:

```
ssl_dh=</path_to_dovecot_diffie_hellman_exchange_keys_certificate

# Serving up IMAP facilities to remote clients (both STARTTLS and SSL connections)
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}

# Make use of our TLS certificate
ssl_cert = </path_to_your_certificate_fullchain>
ssl_key = </path_to_your_certificate_private_key>
```



tony33 said:


> do note that postfix and dovecot has been updated to use the latest version.  So,  I don't know when it spits out if it's  using an old dovecot version.
> I will check my configs today and today I plan on fixing those permission issues.


Thats the first thing to do: fixing up permissions. Then configure dovecot to serve an sasl authentication socket, then enforcing TLS/SSL at MTA (postfix smtpd/smtp processes), MSA (postfix submission/smtps subprocesses) and MDA (dovecot) levels.

Setting up a complete mail exchanger is not a trivial thing and I highly recommend subscribing to dovecot and postfix mailing lists to got reviews of your configuration and ask for advices on how to achieve a secure mail chain.


----------



## Jose (Feb 27, 2021)

Machiaveli said:


> Plain text login is ok as long as sasl authenticated clients does connect either via STARTTLS (submission on port 587) or better via SSL (smtps on port 465).


Be aware that the situation here is kind of a mess





						Is port 465 deprecated? — Linux Guide and Hints
					






					linuxguideandhints.com
				











						Which SMTP Port Should I Use? Understanding Ports 25, 465, & 587 | Mailgun
					

Which SMTP port should you use — port 25, port 465, or port 587? Click to learn more about Mailgun's guide to understanding SMTP ports.



					www.mailgun.com
				




I use, and will continue to use port 465 until it stops working, mainly out of spite. I hate bureaucratic cat fights.


----------



## Machiaveli (Feb 27, 2021)

Jose said:


> Be aware that the situation here is kind of a mess
> 
> 
> 
> ...


Yep, RFC8314 has been discussed on postfix-users mailing list a while ago and the current consensus made by posters on this list is to use SSL wrappermode for every submission on port 465/TCP for now (hence postfix's files and documentation still uses "smtps" to define SSL submission to a MSA).

We're currently in a fuzzy mess where STARTTLS via 587/TCP is so widely used and known by users that 465/TCP cames back in front of the scene just to not messed up habits.

But things will change sooner or later and 587/TCP will become "_submission*s*_" (whereas the final "s" means encrypted submission as opposed to STARTTLS regular "submission").



Jose said:


> I use, and will continue to use port 465 until it stops working, mainly out of spite. I hate bureaucratic cat fights.


That's the best thing to do at this moment, until users habits are changing from STARTTLS to SSL/TLS.

Join in the postfix-users mailing list to stay tune about this.


----------

