Postfix "SASL authentication failure: No worthy mechs found"

Question

Trying to use postfix with smtp to connect to google's smtp. When trying to send mail, I get this error:

Sep 15 14:04:41 zedsaid postfix/smtp[20271]: certificate verification failed for smtp.gmail.com[74.125.95.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Sep 15 14:04:42 zedsaid postfix/smtp[20271]: warning: SASL authentication failure: No worthy mechs found
Sep 15 14:04:42 zedsaid postfix/smtp[20271]: 1BACD968B23: to=<nic@zedsaid.com>, relay=smtp.gmail.com[74.125.95.109]:587, delay=0.92, delays=0.06/0.03/0.83/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.gmail.com[74.125.95.109]: no mechanism available)

Running Debian 4.0.

Ideas?

Post the output of `postconf -n` and all other relevant configuration files of Postfix. You don't seem to have `smtp_sasl_password_maps` configured in your `main.cf`. — joschi, Sep 18 '10 at 05:50

score 6 · Answer 1 · answered Apr 07 '20 at 21:30

6

I have the error: SASL authentication failure: No worthy mechs found

with postfix running in a RaspberryPi3 (Debian 10 - Raspbian)

I fix installing the package libsasl2-modules

sudo apt update
sudo apt install libsasl2-modules

Hope it can help someone else.

answered Apr 07 '20 at 21:30

Robson Caldas

61
1
1

This fixed it for me on Raspbian. Thank you. – jvilalta Apr 23 '21 at 22:11

score 5 · Answer 2 · edited Apr 13 '17 at 12:14

(New user, can't post comment reply to sebix. Also removed all links.)

For modern installations (such as Ubuntu 16.04) that use Postfix as an SMTP client with SASL-auth to a remote server (e.g. like shown on the Debian wiki), it might indeed be needed to specify

smtp_sasl_security_options = noanonymous

What this does, however, is remove the noplaintext option (currently the default is noplaintext, noanonymous as per the postconf manual). smtp_sasl_tls_security_options defaults to $smtp_sasl_security_options. This could become an issue under some (mis)configurations, or in the future if defaults change.

EDITED: At the moment, though, it doesn't seem likely, especially if SASL is done in a TLS session. This is forced if the remote server has smtpd_tls_auth_only or smtpd_enforce_tls (which implies the former) or whatever non-Postfix equivalent.

To check what Postfix defaults to, use postconf -d (via).

score 4 · Answer 3 · answered Oct 12 '17 at 14:21

4

this solved it for me (on centos 7 not default, was OK on older Centos versions)

yum install cyrus-sasl{,-plain} 
service postfix restart

answered Oct 12 '17 at 14:21

zzapper

341
3
7

1

This solved it for me using Alpine. Although Alpine doesn't list a cyrus-sasl-plain package I was able to install it and it solved the problem. – Marcus Ahlberg Mar 31 '21 at 12:17

score 2 · Accepted Answer · answered Sep 17 '10 at 15:35

It looks like the clue is right here:

untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

you need to get the equifax cert and add it to your list of trusted CA certs.

I think that these are available here: http://www.geotrust.com/resources/root-certificates/

score 2 · Answer 5 · edited Jan 08 '15 at 22:50

2

Possibly multiple problems here, the certs being one and another maybe related to smtp_sasl_security_options. I once solved a problem involving that "no mechs" message by setting smtp_sasl_security_options=noanonymous following a clue found on linuxquestions.org

edited Jan 08 '15 at 22:50

sebix

4,175
2
25
45

answered Jan 08 '15 at 21:01

ike.ahnoklast

21
1

What is the suggested solution? – sebix Jan 08 '15 at 22:31

Postfix "SASL authentication failure: No worthy mechs found"

5 Answers5

this solved it for me (on centos 7 not default, was OK on older Centos versions)

Linked