1

Using CentOS 8, I've setup dovecot and postfix and tested that:

  • I can sign in as an authenticated user
  • Read email (IMAP)
  • Send email to the same/different account on the server
  • Send email outbound, to an internet mail server
  • Server does not act as an open relay

I can't receive email from an outside (internet) email server. I can clearly see attempts made to deliver email.

Inside /var/log/maillog I see the following lines (replacing the host name with <emailserver>:

Apr 25 22:27:48 <emailserver> postfix/submission/smtpd[565409]: warning: SASL: Connect to /var/spool/postfix/private/auth failed: No such file or directory
Apr 25 22:27:48 <emailserver> postfix/submission/smtpd[565409]: fatal: no SASL authentication mechanisms

A larger scope of the log (with debugging turned on, 00.00.0.000 is my email server's internet ip):

Apr 25 22:27:23 <emailserver> postfix/submission/smtpd[565409]: connect from unknown[00.00.0.000]
Apr 25 22:27:23 <emailserver> postfix/submission/smtpd[565409]: disconnect from unknown[00.00.0.000] ehlo=1 mail=0/1 quit=1 commands=2/3
Apr 25 22:27:48 <emailserver> postfix/submission/smtpd[565409]: connect from unknown[00.00.0.000]
Apr 25 22:27:48 <emailserver> postfix/submission/smtpd[565409]: Anonymous TLS connection established from unknown[00.00.0.000]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Apr 25 22:27:48 <emailserver> postfix/submission/smtpd[565409]: warning: SASL: Connect to /var/spool/postfix/private/auth failed: No such file or directory
Apr 25 22:27:48 <emailserver> postfix/submission/smtpd[565409]: fatal: no SASL authentication mechanisms
Apr 25 22:27:49 <emailserver> postfix/master[404333]: warning: process /usr/libexec/postfix/smtpd pid 565409 exit status 1
Apr 25 22:30:32 <emailserver> postfix/smtpd[565512]: connect from <emailserver>.<tld>[00.00.0.000]
Apr 25 22:30:40 <emailserver> postfix/smtpd[565512]: SSL_accept error from <emailserver>.<tld>[00.00.0.000]: lost connection
Apr 25 22:30:40 <emailserver> postfix/smtpd[565512]: lost connection after CONNECT from <emailserver>.<tld>[00.00.0.000]
Apr 25 22:30:40 <emailserver> postfix/smtpd[565512]: disconnect from <emailserver>.<tld>[00.00.0.000] commands=0/0
Apr 25 22:32:02 <emailserver> postfix/smtpd[565532]: warning: hostname zg-0416a-115.stretchoid.com does not resolve to address 192.241.214.121: Name or service not known
Apr 25 22:32:02 <emailserver> postfix/smtpd[565532]: connect from unknown[192.241.214.121]
Apr 25 22:32:02 <emailserver> dovecot[403811]: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
Apr 25 22:32:02 <emailserver> dovecot[403811]: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Apr 25 22:32:02 <emailserver> dovecot[403811]: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
Apr 25 22:32:02 <emailserver> dovecot[403811]: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Apr 25 22:32:02 <emailserver> postfix/smtpd[565532]: fatal: no SASL authentication mechanisms
Apr 25 22:32:02 <emailserver> dovecot[403811]: auth: Debug: auth client connected (pid=0)
Apr 25 22:32:03 <emailserver> postfix/master[404333]: warning: process /usr/libexec/postfix/smtpd pid 565532 exit status 1
Apr 25 22:32:03 <emailserver> postfix/master[404333]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
Apr 25 22:33:43 <emailserver> postfix/anvil[565533]: statistics: max connection rate 1/60s for (smtp:192.241.214.121) at Apr 25 22:32:02
Apr 25 22:33:43 <emailserver> postfix/anvil[565533]: statistics: max connection count 1 for (smtp:192.241.214.121) at Apr 25 22:32:02
Apr 25 22:33:43 <emailserver> postfix/anvil[565533]: statistics: max cache size 1 at Apr 25 22:32:02
Apr 25 22:37:32 <emailserver> postfix/smtpd[565650]: connect from unknown[37.49.225.144]
Apr 25 22:37:32 <emailserver> dovecot[403811]: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
Apr 25 22:37:32 <emailserver> dovecot[403811]: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Apr 25 22:37:32 <emailserver> dovecot[403811]: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
Apr 25 22:37:32 <emailserver> dovecot[403811]: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Apr 25 22:37:32 <emailserver> dovecot[403811]: auth: Debug: auth client connected (pid=0)
Apr 25 22:37:32 <emailserver> postfix/smtpd[565650]: fatal: no SASL authentication mechanisms
Apr 25 22:37:33 <emailserver> postfix/master[404333]: warning: process /usr/libexec/postfix/smtpd pid 565650 exit status 1
Apr 25 22:37:33 <emailserver> postfix/master[404333]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
Apr 25 22:38:33 <emailserver> postfix/smtpd[565666]: connect from unknown[00.00.0.000]
Apr 25 22:38:33 <emailserver> postfix/smtpd[565666]: fatal: no SASL authentication mechanisms
Apr 25 22:38:33 <emailserver> dovecot[403811]: auth: Debug: auth client connected (pid=0)
Apr 25 22:38:34 <emailserver> postfix/master[404333]: warning: process /usr/libexec/postfix/smtpd pid 565666 exit status 1
Apr 25 22:38:34 <emailserver> postfix/master[404333]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
Apr 25 22:39:35 <emailserver> postfix/smtpd[565697]: connect from unknown[185.220.205.196]

I can clearly see the directory exists:

[root@emailserver ~]# ls -lZ /var/spool/postfix/private/auth
srw-rw----. 1 postfix postfix system_u:object_r:postfix_private_t:s0 0 Apr 18 23:58 /var/spool/postfix/private/auth

Also no SELinux denials/errors...

[root@emailserver ~]# grep "denied" /var/log/audit/audit.log
[root@emailserver ~]# grep "SELinux is preventing" /var/log/messages
[root@emailserver ~]#

The dovecot config checked against Connect to private/auth failed: No such file or directory:

[root@<emailserver> ~]# dovecot -n
# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
# OS: Linux 4.18.0 x86_64 CentOS Linux release
# Hostname: <emailserver>.<tld>
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_username_format = %n
first_valid_uid = 1000
mail_location = maildir:~/Maildir
mail_privileged_group = mail
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    auto = create
    special_use = \Drafts
  }
  mailbox Junk {
    auto = create
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    auto = create
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = postfix
    mode = 0666
    user = postfix
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl_ca = </etc/pki/tls/certs/<emailserver>.<tld>.ca-bundle
ssl_cert = </etc/pki/tls/certs/<emailserver>_<tld>.crt
ssl_cipher_list = PROFILE=SYSTEM
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}
protocol lmtp {
  hostname = <emailserver>.<tld>
  postmaster_address = postmaster@<emailserver>.<tld>
}

The postfix config (I assume the 'noanonymous' has something to do with my problem?):

[root@<emailserver> ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_transport = lmtp:unix:private/dovecot-lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination = <emailserver>.<tld>, $myhostname, localhost.$mydomain, localhost
mydomain = <emailserver>.<tld>
myorigin = <emailserver>.<tld>
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs/
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/pki/tls/certs/<emailserver>.<tld>.crt
smtpd_tls_key_file = /etc/pki/tls/private/<emailserver>_<tld>.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtputf8_enable = no
unknown_local_recipient_reject_code = 550
virtual_transport = dovecot
[root@<emailserver> ~]#

The /etc/postfix/master.cf file:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_reject_unlisted_sender=yes
      #-o smtpd_recipient_restrictions=
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o broken_sasl_auth_clients=yes
      -o smtpd_sasl_path=/var/spool/postfix/private/auth
smtps     inet  n       -       n       -       -       smtpd
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_reject_unlisted_sender=yes
      -o smtpd_tls_wrappermode=yes
      #-o smtpd_recipient_restrictions=reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o broken_sasl_auth_clients=yes
      -o smtpd_sasl_path=/var/spool/postfix/private/auth
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  #-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  # -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  #-o smtpd_sasl_path=private/auth
#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr

As per another SF question the sasl package is installed:

[root@emailserver ~]# dnf install cyrus-sasl-plain
Last metadata expiration check: 0:59:13 ago on ... PM CDT.
Package cyrus-sasl-plain-2.1.27-5.el8.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@emailserver ~]#

Any help resolving this would be greatly appreciated.

dark_st3alth
  • 151
  • 2
  • 8
  • Your log shows failure on *both* submission and smtp, so your problem is *not* limited to external mail. Try restarting dovecot and investigating what it logs as it starts or fails to start. – anx Apr 28 '21 at 01:52
  • Two oddities in your `master.cf` (just confusing, not likely contributing to your problem): a) You have overridden `syslog_name` for `submission`, but not for `smtps`. b) On 3 smtpd ports, you have overridden *different* `smtpd_sasl_` settings - yet each to the same value which they already inherit from `main.cf`. – anx Apr 28 '21 at 01:57

0 Answers0