Postfix offline - SASL error

Maybe related: also my mail setup stopped working after applying the 3.2.1 update (from 3.2) through the updater. Also tried to download and update manually to fix, same result.
Here, postconf is is fine, no errors. No failed services with systemctl --state=failed but mail.log shows:

Code:

Nov 24 20:37:13 nx postfix/smtpd[12042]: fatal: no SASL authentication mechanisms

Should I open a separate topic?

 

Yes. Twice. Checked diffs in master.cf and dovecot.conf before and after the update, no differences.

 

/var/log/mail.err:

Code:

Nov 24 19:42:35 xx dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
Nov 24 19:42:35 xx dovecot: auth: Error: net_connect_unix(anvil-auth-penalty) failed: Connection refused
Nov 24 19:42:35 xx dovecot: auth: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Connection refused

 

/etc/postfix/main.cf

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_cert_file = /etc/postfix/smtpd.cert

smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
myhostname = xxxx.de
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = xxxx.de, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 10737418240
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
inet_protocols = all
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client mail.bl.blocklist.de, reject_rbl_client dnsbl.inps.de, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dul.dnsbl.sorbs.net, reject_unauth_pipelining , permit
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = lmtp:unix:private/dovecot-lmtp
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtp_tls_security_level = dane
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
message_size_limit = 104857600
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
smtpd_helo_required = yes
#smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, ,reject_unknown_helo_hostname, permit
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
strict_rfc821_envelopes = yes
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_delay_reject = yes
policy-spf_time_limit = 3600s
compatibility_level = 2
non_smtpd_milters = inet:localhost:11332
address_verify_sender_ttl = 15686s
enable_original_recipient = no
smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
address_verify_negative_refresh_time = 60s
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
smtp_dns_support_level = dnssec
smtpd_reject_unlisted_sender = yes

Diff previous working to current after update:

Code:

# diff etc/postfix/main.cf /etc/postfix/main.cf
61c61
< smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client mail.bl.blocklist.de, reject_rbl_client dnsbl.inps.de, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dul.dnsbl.sorbs.net, permit_sasl_authenticated, reject_unauth_pipelining , permit
---
> smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client mail.bl.blocklist.de, reject_rbl_client dnsbl.inps.de, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dul.dnsbl.sorbs.net, reject_unauth_pipelining , permit
102,103c102,103
< tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
< tls_preempt_cipherlist = no
---
> tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
> tls_preempt_cipherlist = yes
106a107
> smtpd_reject_unlisted_sender = yes

 

Dovecot is running, no errors on restart / startup.

Code:

# ls -la /var/run/dovecot/stats-writer
srw-rw---- 1 vmail vmail 0 Nov 24 21:37 /var/run/dovecot/stats-writer

 

When trying to connect through the mail client:
/var/log/mail.log

Code:

Nov 24 21:47:32 xxx dovecot: auth-worker(25869): sql(XXuser,yyy.yyy.yyy,<Xyd5a+C0jc+5bris>): unknown user
Nov 24 21:47:33 xxx postfix/submission/smtpd[25898]: warning: hostname c-.customer.provider.de does not resolve to address yyy.yyyy.yyy
Nov 24 21:47:33 xxx postfix/submission/smtpd[25898]: connect from unknown[yyy.yyyy.yyy]
Nov 24 21:47:33 xxx postfix/smtpd[25863]: warning: unknown[zzz.zzz.zzz]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 24 21:47:34 xxx postfix/smtpd[25863]: disconnect from unknown[zzz.zzz.zzz] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

 

Incoming mail still working fine, mails show up in rspamd history on web interface.

 

It's a username only, not a mail address as login.
Maybe related to this bug in the beta? https://www.howtoforge.com/community/threads/3-2beta2-issues-mail-server.85195/

 

Full /var/log/mail.err (the last entry is new)

Code:

Nov 24 19:42:35 xxx dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
Nov 24 19:42:35 xxx dovecot: auth: Error: net_connect_unix(anvil-auth-penalty) failed: Connection refused
Nov 24 19:42:35 xxx dovecot: auth: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Connection refused
Nov 24 20:37:13 xxx postfix/smtpd[12042]: fatal: no SASL authentication mechanisms
Nov 24 20:37:13 xxx dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
Nov 24 20:37:13 xxx dovecot: auth: Error: net_connect_unix(anvil-auth-penalty) failed: Connection refused
Nov 24 21:37:36 xxx dovecot: auth: Error: auth worker: Aborted PASSV request for [email protected]: Worker process died unexpectedly
Nov 24 21:37:40 xxx postfix/smtpd[23990]: fatal: no SASL authentication mechanisms

relevant in /var/log/mail.warn

Code:

Nov 24 21:47:51 xxx postfix/submission/smtpd[25898]: warning: unknown[185.110.184.172]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 24 21:47:53 xxx postfix/submission/smtpd[25898]: warning: unknown[185.110.184.172]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

I don't see anything else in syslog or mail.log

 

Agreed, solved that beta issue together with @Jesse Norell in a night session. But is was related to the alternative user name.
The diff before update (backup) to after update:

Code:

# diff etc/dovecot/dovecot-sql.conf /etc/dovecot/dovecot-sql.conf
17c17,18
< password_query = SELECT email as user, password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail, uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM mail_user WHERE (login = '%u' OR email = '%u') AND `disable%Ls` = 'n' AND server_id = '1'
---
> password_query = SELECT email as user, password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail, uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM mail_user WHERE (login = '%u' OR email = '%u') AND `disable%Ls` = 'n' AND server_id = '1' AND EXISTS (SELECT domain_id FROM mail_domain WHERE domain = '%d' AND active = 'y' AND server_id = 1)
>