# postfix issue



## tony33 (Mar 18, 2016)

I have latest FreeBSD 10.2 and  latest Postfix and Dovecot.

In my mail logs  I use TLS for mail connections. I can see my mail client connecting to my mail server via TLS. However,  it always fails with : 
	
	



```
fatal: no SASL authentication mechanisms
```

Why does this occur? I do have it installed and supported. In Dovecot I do specify the login methods. I have no clue what the issue is and has been driving me crazy. I did google search but most are old outdated threads and never found anyone have a solution. Other than a few that forgot to install libraries to support it or set up Postfix wrong. 

SASL type is Dovecot.  I need suggestions on what could possibly be the problem. Any help would be appreciated.


----------



## obsigna (Mar 18, 2016)

What did you specify for the parameter auth_mechanisms in file /usr/local/etc/dovecot/dovecot.conf?

Further reading: http://wiki2.dovecot.org/Authentication/Mechanisms


----------



## tony33 (Mar 18, 2016)

obsigna said:


> What did you specify for the parameter auth_mechanisms in file /usr/local/etc/dovecot/dovecot.conf?
> 
> Further reading: http://wiki2.dovecot.org/Authentication/Mechanisms




I have this :  auth_mechanisms = plain login cram-md5 digest-md5

I am trying to get plain login to work. I use ttls and eventually want to get a secure connection method to work. Passwords aren't encrypted. I first want to get a plain login to work. Then will move on to trying to get a encrypted one to work.

I am aware of that website. But there's no deep details into why getting my error. I googled around and there's many people having it but most fixed it by reinstalling postfix and dovecot.  However, they had the same error with additional errors that shows they deleted important files. So, no one has had the same exact issue as me but did have a few same errors.

I don't want to delete postfix and dovecot and reinstall it.  I don't think I am missing files. I don't get any not found or missing type of errors. 

I think the auth config is screwed up. Maybe put in the wrong area.

Where  must that variable be located in the config file?


That error is from mail.log  but in dovecot.log I see this:

imap-login : 
Auth process broken (disconnected before auth was ready, waited 0 secs): ,user<>, the shows client ip, my server ip and then the 0 seconds connection etc.

It then says this:  
Error: auth: environment corrupt; missing value for DOVECOT_

then this:

Fatal: unsetenv(RESTRICT_SETUID) failed: Bad address

Then shows a throttle and then a kill signal 15. 

I have no clue what is the issue here. I cannot find anything online to guide me to where the problem can be at.


----------



## obsigna (Mar 19, 2016)

Specify for auth_mechanisms only what you set up properly. Dovecot advertises the list of mechanisms and Postfix passes this to the clients. Nowadays many clients choose from that list the authentication mechanisms that fits best in terms of security and ability. For example, it may well happen that your client requests cram-md5 (since Postfix said that it is available, based on the info it got from Dovecot), but you did not set up Dovecot properly for it.

Specify auth_mechanisms = plain, and try again. BTW, my /usr/local/etc/postfix/main.cf got:

```
# INCOMING MAIL
smtpd_sasl_auth_enable              = yes
smtpd_sasl_type                     = dovecot
smtpd_sasl_path                     = private/auth

smtpd_relay_restrictions            = permit_mynetworks,
                                      permit_sasl_authenticated,
                                      reject_unauth_destination
...
```


----------



## tony33 (Mar 21, 2016)

obsigna said:


> Specify for auth_mechanisms only what you set up properly. Dovecot advertises the list of mechanisms and Postfix passes this to the clients. Nowadays many clients choose from that list the authentication mechanisms that fits best in terms of security and ability. For example, it may well happen that your client requests cram-md5 (since Postfix said that it is available, based on the info it got from Dovecot), but you did not set up Dovecot properly for it.
> 
> Specify auth_mechanisms = plain, and try again. BTW, my /usr/local/etc/postfix/main.cf got:
> 
> ...




I just tried h_mechanisms = plain, and set that and get the same exact error. 

I am going to try and set in postfix the private/auth like how you did it. 

Your postfix setup is similar to mine. However, I give a direct path to private auth.

I did try that plain mechanism setup like how you said and tested it and still in the logs get the same exact error saying that there's no mechanisms.  Is there anything to show me where the auth_mechanisms needs to be in the dovecot config file? I have the latest dovecot version.


----------



## obsigna (Mar 21, 2016)

I put everything into the file /usr/local/etc/dovecot/dovecot.conf. You can verify, whether the setting is active by examining the output of the `doveconf` command. I use the cram-md5 mechanism, for details see the following thread: https://forums.freebsd.org/threads/42507/#post-236397

Now, I remember, for the plain mechanism, you need to set disable_plaintext_auth = no.


----------



## tony33 (Mar 23, 2016)

obsigna said:


> I put everything into the file /usr/local/etc/dovecot/dovecot.conf. You can verify, whether the setting is active by examining the output of the `doveconf` command. I use the cram-md5 mechanism, for details see the following thread: https://forums.freebsd.org/threads/42507/#post-236397
> 
> Now, I remember, for the plain mechanism, you need to set disable_plaintext_auth = no.



I will look into that. I tried what you said to change it to no and still get the same error. The error I been telling you comes from postfix.

The dovecot logs show this:


```
"auth: environment corrupt; missing value for DOVECOT_
Fatal: unsetenv(RESTRICT_SETUID) failed: Bad address"
```

I tried what you said to change it to no. I still get the  same error.

I ran the `doveconf`  command and it does show 
	
	



```
auth_mechanisms = plain
```
 in the output. So, it's active.


----------



## obsigna (Mar 23, 2016)

tony33 said:


> ...
> The dovecot logs show this:
> `"auth: environment corrupt; missing value for DOVECOT_
> Fatal: unsetenv(RESTRICT_SETUID) failed: Bad address"`



Verify the service auth {} section in the dovecot configuration file. Mine is:

```
service auth {
  unix_listener /var/spool/postfix/private/auth {
    user  = postfix
    group = postfix
    mode  = 0666
  }
}
```
Then you need to verify, that the directory /var/spool/postfix/private/ does exist, and that the user postfix has rwx privileges in it. My path looks like this:

```
ls -ld /var/spool/postfix/private/
drwx------  2 postfix  wheel  512 22 Mär 05:28 /var/spool/postfix/private/
```
In the case, that your unix_listener for the service auth resides in a different place, you need to do a similar check for your actual path, and in addition you need to make sure that in the Postfix configuration file /usr/local/etc/postfix/main.cf you specified the path correctly, in my case it is smtpd_sasl_path = private/auth. Your actual path may be different, however, the respective settings in dovecot.conf and in file postfix/main.cf *MUST* match, and in addition the path must exist and must be rwx for the user postfix.


----------



## tony33 (Mar 23, 2016)

obsigna said:


> Verify the service auth {} section in the dovecot configuration file. Mine is:
> 
> ```
> service auth {
> ...




Here's my setup:


```
service auth {
unix_listener /var/spool/postfix/private/auth {
        group = postfix
        mode = 0666
        user = postfix
    }
    unix_listener auth-master {
    mode = 0666
    user = root
    group = wheel
  }
}
```


Ran the command you asked and this is what I got:


```
ls -ld /var/spool/postfix/private/
drwx------  2 postfix  wheel  512 Mar 22 22:31 /var/spool/postfix/private/
```


----------



## obsigna (Mar 23, 2016)

In the service auth {...} section, I left unix_listener auth-master {...} at its default settings:
`doveconf`

```
...
  unix_listener auth-master {
    group =
    mode = 0600
    user =
  }
...
```
However, I can't tell whether this makes up for the difference. For what reasons did you set other than the default settings for auth-master?


----------



## tony33 (Mar 25, 2016)

obsigna said:


> In the service auth {...} section, I left unix_listener auth-master {...} at its default settings:
> `doveconf`
> 
> ```
> ...




That was how my old config was setup. I followed a tutorial on it and that is how it was setup. I use mysql for logins lookups.  It was working  but when I upgraded postfix and dovecot to the latest versions like  dovecot 1.7 to 2.0 etc... At that point there were several errors. My servers wouldn't even start.

I then saw the migration manuals and followed some online tutorials to convert the old configs to the new configs. I followed them and is how now I can start the servers. This is where I am at. I am able to run the servers and don't see any errors other than the ones posted here. I haven't been able to login to my mail server.  This was since Fall of 2014.     

Right now have no clue why I am getting these errors. I am using tls / ssl  and those work fine. I can see that those works and then right when we get to the authentication we get the errors I get.

I have setup dovecot and postfix to use mysql for lookup tables for logins.


----------



## tony33 (Mar 25, 2016)

obsigna said:


> In the service auth {...} section, I left unix_listener auth-master {...} at its default settings:
> `doveconf`
> 
> ```
> ...



I followed your suggestion and still gives me the same error.  I changed the auth-master to what you have and it still doesn't work. 

Do you know where  I can get a hold of people that works on dovecot to get some kind of help? I think there's some variable missing that either got deleted from the upgrade or something. I don't feel like reinstalling dovecot. I hope I can reach someone that can shed more light on this issue.


----------



## obsigna (Mar 25, 2016)

For hard core dovecot support, I would certainly post my questions on the Dovecot mailing list: http://dovecot.org/mailinglists.html

However, if I would find myself in an infinite loop since 2014, trying to migrate dovecot 1.7 to 2.x settings, I would have certainly broken out long time ago, by deleting all the old shit and newly setting-up my mail service, utilizing the original documentation and perhaps a decent up to date tutorial.


----------



## tony33 (Mar 25, 2016)

obsigna said:


> For hard core dovecot support, I would certainly post my questions on the Dovecot mailing list: http://dovecot.org/mailinglists.html
> 
> However, if I would find myself in an infinite loop since 2014, trying to migrate dovecot 1.7 to 2.x settings, I would have certainly broken out long time ago, by deleting all the old shit and newly setting-up my mail service, utilizing the original documentation and perhaps a decent up to date tutorial.



I will post there. There's no good full blown tutorial on how to migrate from one version to another. Most just say check the migration manual which only covers major differences between the two versions. 

I followed that manual and cleared out most obsolete or depreciated errors. So, the issue isn't a migration issue. Right now it's the auth mechanism that is broken. I seriously think once I clear this then the server will start working once again. I seriously think the variable or the link in the software is lost or deleted or cleared out. According to the logs there's on variable config missing. I think only the people that work on the software could answer this. Or any one that has worked with the code of dovecot could answer this question. I rather do this then redo the whole setup. I spend like 3 to 4 months to config my mail servers correctly when I first time installed the software and set them up. Followed a tutorial and  it worked fine. It's just the upgrades caused a lot of issues. Even when I had to upgrade the Freebsd version.. there's always some kind of link getting corrupted or many configs needs to be reconfig with new words and settings etc. 

I don't feel like deleting everything and then starting again from scratch. I will spend another 3 to 4 months trying to figure out how to set up the system to where I want it. It's a lot of work to get mysql database to work with the mail servers and then add in ssl security and then add in quotas etc.


----------



## gkontos (Mar 25, 2016)

On Dovecot versions > 2 there is usually a user that needs to be created, called vmail with uid 5000.  That user has ownership of the mail location.


```
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
```


```
unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
```


```
service dict {
  unix_listener dict {
    mode = 0600
    user = vmail
}
}
```


```
mail_location = maildir:/usr/local/vhosts/mail/%d/%n:LAYOUT=fs
mail_home = /usr/local/vhosts/mail/%d/%n
```


```
user_query = SELECT CONCAT('*:messages=1000000:bytes=', quota) as quota_rule, 5000 AS uid, 5000 AS gid FROM mailbox WHERE username = '%u' AND active = '1'
password_query = SELECT username as user, password FROM mailbox WHERE username = '%u' AND active = '1'
```


----------



## tony33 (Mar 25, 2016)

Thanks for the help. Decided to not go to dovecot. I think the process is too compliated. I will search for a forum online.  I will ask  around on the net. I can see many having the same issue when doing a google search.


----------



## gkontos (Mar 25, 2016)

tony33 said:


> Thanks for the help. Decided to not go to dovecot. I think the process is too compliated. I will search for a forum online.  I will ask  around on the net. I can see many having the same issue when doing a google search.


Dovecot, is the best IMAP server you can find. I would not drop faith so quick.


----------



## tony33 (Mar 29, 2016)

gkontos said:


> Dovecot, is the best IMAP server you can find. I would not drop faith so quick.



I have a virtual user created for dovecot. The issue isn't about not having a virtual user. I got on a IRC and got a hold of people that work heavily with dovecot. They told me that it's either a config issue or a file was damaged when I did the upgrading. The file has to be with the auth association.  However, they looked at my config and said everything looks ok. So, they will help me find the file that's damage. They suspect a file or multiple files corrupted.


----------

