SMTP AUTH Failure: "Server Does Not Support Secure Authentication"

I've followed the how to here:
http://www.howtoforge.com/howto_postfix_smtp_auth_tls_howto/

And thanks to Falko for pointing out mirrors for the sources in the above tutorial.
http://www.filewatcher.com/b/ftp/ftp.aet.tu-cottbus.de/pub/postfix_tls/related/postfix.0.0.html

I've gone through the complete install. No errors. I've added Dovecot (1.0) so I can retreieve email using pop. I've added users and and domains, and I can send mail to and from these clients using TLS/SSL. But I cannot get the server to authenticate smtp.

Can anyone help me? Where would I look for errors? I see nothing in messages, maillog, or the dovecot logs.

This is driving me crazy...

 

telnet localhost 25
ehlo localhost

main.cf

Code:

virtual_mailbox_domains = domain1.com, domain2.com
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_maps = hash:/etc/postfix/virtual
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 450
home_mailbox = Maildir/
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = no
mydomain = wnetworks.net
myhostname = mail.$mydomain
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
inet_interfaces = all
alias_maps = hash:/etc/aliases
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

master.cf

Code:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd   -v
#smtps    inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission     inet    n       -       n       -       -       smtpd
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       nqmgr
#tlsmgr   fifo  -       -       n       300     1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

 

Using saslauthd to check credentials:

Code:

#> /usr/sbin/testsaslauthd -u user_domain.com -p userpassword 
0: OK "Success."

I am using Dovecot's 'auth_username_translation':
auth_username_translation = @_

That is why above I use user_domain.com and below I use user@domain.com

Encoded username/password:

Code:

#> perl -MMIME::Base64 -e 'print encode_base64("[email protected]\[email protected]\0userspassword");'
encodedpasswordoutput

Trying the encoded password via command prompt:

Code:

#> telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.wnetworks.net ESMTP Postfix
#> ehlo localhost
250-mail.wnetworks.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5
250-AUTH=LOGIN DIGEST-MD5 PLAIN CRAM-MD5
250-XVERP
250 8BITMIME
#> AUTH PLAIN encodedpasswordoutput
535 Error: authentication failed

 

Here is the output in my maillog re authentication when attempting from command line (the one I showed the telnet out from above):

Code:

Sep  8 07:53:33 mail postfix/smtpd[6790]: < localhost.localdomain[127.0.0.1]: AUTH PLAIN encodedpasswordoutput
Sep  8 07:53:33 mail postfix/smtpd[6790]: smtpd_sasl_authenticate: sasl_method PLAIN, init_response encodedpasswordoutput
Sep  8 07:53:33 mail postfix/smtpd[6790]: smtpd_sasl_authenticate: decoded initial response domain2.com
Sep  8 07:53:33 mail postfix/smtpd[6790]: warning: SASL authentication failure: Password verification failed
Sep  8 07:53:33 mail postfix/smtpd[6790]: warning: localhost.localdomain[127.0.0.1]: SASL PLAIN authentication failed
Sep  8 07:53:33 mail postfix/smtpd[6790]: > localhost.localdomain[127.0.0.1]: 535 Error: authentication failed

 

Thinking that perhaps I should not use the '@' and use the '_' instead, I got the new encoded credentials:

Code:

#> perl -MMIME::Base64 -e 'print encode_base64("user_domain.com\0user_domain.com\0userspassword");'
encodedpasswordoutput--2

And tried to telnet in:

Code:

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.wnetworks.net ESMTP Postfix
ehlo localhost
250-mail.wnetworks.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5
250-AUTH=LOGIN DIGEST-MD5 PLAIN CRAM-MD5
250-XVERP
250 8BITMIME
AUTH PLAIN encodedpasswordoutput--2
235 Authentication successful

Voila!


The main problem however, is that the remote mail client is told that the server does not support secure authentication, before I have a chance to send a password.

 

What are the exact error messages in your email client and in the mail log?

 

Thanks Falko.

Exact error in mail client:
"Mail server does not support secure authentication"

There are no entries in the maillog.

 

Thank you for the reply Till.

I assume you meant master.cf, and I uncommented those lines, rebooted, and I am still getting the error message "Mail server does not support secure authentication."...

 

This is sooooo odd.

Here it is a couple of hours later. I *think* the server is now authenticating. I did nothing at all, just walked away.

I open up Thunderbird, and fired off a mail to a remote location. It was relayed OK. Then, I fired up my Outlook Express, and sent a mail, and I think it worked! /var/log/maillog shows the mail getting through!

I'm going to keep my eye on things here, but thank you for the help, Falko and Till. I think I'll just hang out here for a while if that's ok. I'm learning a lot from all the threads here...

 

Actually, it is not authenticating. Postfix defaults to "mynetworks_style = subnet", unless specified:

In the setup, we do not specify mynetworks_style. Just for fun, I specified mynetworks_style = host, and authentication from my lan (on the same subnet) failed. So, I guess it isn't authenticating at all, but was allowing relaying because the machines are on the same sbunet.

And nothing at all is added to the log when I get the message "Mail server does not support secure authentication".

 

Then I guess your email client is connecting to the wrong server, or some kind of firewall is blocking all connections, because otherwise there should be something in the mail log.

Also comment out mynetworks_style in /etc/postfix/main.cf and put in

Code:

mynetworks = 127.0.0.0/8

instead.

 

/sbin/iptables --list:

Code:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If I don't check the "Use Secure Authentication" in Thunderbird, it goes through. So, I *know* the client is aimed at the right server. It just doesn't get authenticated. This is insane,. Just insane.

 

Clearly, I am not thinking straight. Of course there is no emntry in the maillog when I am checking mail. So I sent a mail this morning.

Error message to mail client:

maillog entries:

Code:

Sep 11 06:08:16 mail postfix/smtpd[2474]: resolve_clnt_query: `[email protected]' -> t=`smtp' h=`outsideDomain.com' r=`[email protected]'
Sep 11 06:08:16 mail postfix/smtpd[2474]: ctable_locate: install entry key [email protected]
Sep 11 06:08:16 mail postfix/smtpd[2474]: BB8A689E564: reject: RCPT from unknown[192.168.0.13]: 554 <[email protected]>: Recipient address rejected: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[127.0.0.1]>
Sep 11 06:08:16 mail postfix/smtpd[2474]: generic_checks: name=check_relay_domains status=2
Sep 11 06:08:16 mail postfix/smtpd[2474]: > unknown[192.168.0.13]: 554 <[email protected]>: Recipient address rejected: Relay access denied
Sep 11 06:08:17 mail postfix/smtpd[2474]: watchdog_pat: 0x843a118

 

Thank you. I did this.

 

Use "Server requires authentication." instead. What's in /etc/postfix/main.cf (please strip out the comments)?

 

Thank you falko.

main.cf:

Code:

virtual_mailbox_domains = wnetworks.net, joewilk.com
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_maps = hash:/etc/postfix/virtual
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 450
mynetworks = 127.0.0.0/8
home_mailbox = Maildir/
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = no
mydomain = wnetworks.net
myhostname = mail.$mydomain
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        check_relay_domains
inet_interfaces = all
alias_maps = hash:/etc/aliases
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

 

Did it work with "Server requires authentication."?

 

I am sorry, I did not mean to give the impression that it worked. It did not work.

 

Then I have no idea. Maybe it's a good idea to reinstall the whole system.