Postfix: SASL authentication failure: cannot connect to saslauthd server: Permission denied

Question

I had a Postfix/Dovecot server up and running for about a week until I had to reboot it. When I did, things stopped working. I've been up searching for hours to no avail.

IMAP successfully authenticates (despite dovecot being configured to piggyback off of postfix auth). Postfix does not and instead fails with the following error: SASL authentication failure: cannot connect to saslauthd server: Permission denied

I've tried adding the postfix user to the saslauth group (not sasl, as per several google results.) That hasn't changed anything. Postfix doesn't appear to have a /var/spool/postfix/var/ directory at all (it doesn't have /var/, /etc/ or anything), so no /var/run/saslauthd permissions can be modified. However, it was working before the reboot, so I don't think it not having this is the issue.

I've started saslauthd in debug mode and it doesn't output anything. I've searched everywhere and tried every solution I can find, but none seem to help.

Postfix is configured for PLAIN and LOGIN auth mechanisms. saslauthd is configured to use PAM auth (changing to shadow doesn't help).

My apologies if this is somewhat poorly worded, it's 12 midnight and I've been working on this since about 9:45 PM.

doveconf -n:

# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.14.5-200.fc20.x86_64 x86_64 Fedora release 20 (Heisenbug)
auth_mechanisms = plain login
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    auto = create
    special_use = \Drafts
  }
  mailbox Junk {
    auto = create
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    auto = create
    special_use = \Trash
  }
  prefix =
  }
passdb {
  driver = pam
}
protocols = imap pop3
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_cipher_list =      EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
ssl_key = </etc/pki/dovecot/private/dovecot.pem
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
  driver = passwd
}

postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd     $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = (example.com)
myhostname = mail.(example.com)
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_recipient_restrictions =     permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

master.cf:

# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
smtps     inet  n       -       n       -       -       smtpd
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_reject_unlisted_sender=yes
      -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
      -o broken_sasl_auth_clients=yes
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp      unix  -       n       n       -       -       pipe
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail    unix  -       n       n       -       -       pipe
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp     unix  -       n       n       -       -       pipe
#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix -       n       n       -       2       pipe
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  ${nexthop} ${user} ${extension}
#
#mailman   unix  -       n       n       -       -       pipe
#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
#  ${nexthop} ${user}

saslauthd run_path is /run/saslauthd

Please post output command `postconf -n` and `dovecot -n`. Please post content of `master.cf` too. This will help us identify source problem. — masegaloeh, Jun 26 '14 at 06:16
Ah, I misread your question. Looks like you have trouble with saslauth. The first check is (1) Is your postfix chroot? (this is the reason why I ask the content of `master.cf`, to check chrooted process) and (2) Where is the socket location of saslauthd? (you can check by run `saslauthd -a pam -d` and check the **run_path** entry) — masegaloeh, Jun 26 '14 at 14:22
Alright, I've added the requested information. I appreciate your help! — flashbang, Jun 26 '14 at 15:11
Ah, above file clarified that postfix doesn't run by chroot. The last request, please post the relevant lines from `/usr/lib/sasl2/smtpd.conf`. Anyway what OS/distro did you have? — masegaloeh, Jun 26 '14 at 15:33
I'm running Fedora 20. I can't find /usr/lib/sasl2/smtpd.conf...I'm not sure where to look either. — flashbang, Jun 26 '14 at 15:45
Does `/usr/lib/sasl2/` or `/etc/sasl2/` exist? Is saslauthd run_path value `/run/saslauthd` or `/var/run/saslauthd`? — masegaloeh, Jun 26 '14 at 15:56
`/etc/sasl2/` exists. I found smtpd.conf inside, its contents were `pwcheck_method: saslauthd` `mech_list: plain login` — flashbang, Jun 26 '14 at 15:57
Hmmm, looks like this *bug* was resolved by maintainer in newer release. What output of `rpm -qf /run/saslauthd/`? — masegaloeh, Jun 26 '14 at 23:24
Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/15368/discussion-between-masegaloeh-and-user3131004). — masegaloeh, Jun 27 '14 at 02:49

score 5 · Answer 1 · answered Sep 27 '14 at 07:25

Tell saslauthd to create its socket within postfix' chroot jail via its -m option, e.g. -m /var/spool/postfix/var/run/saslauthd. On my Ubuntu i appended this line to /etc/default/saslauthd:

 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

and then i did

 service saslauthd stop
 mkdir -p /var/spool/postfix/var/run
 mv /var/run/saslauthd /var/spool/postfix/var/run/
 service saslauthd start

You might want to leave a softlink at the old place in case other services (like an IMAP service) expect to find /var/run/saslauthd:

 ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/

If /var/run/ is a tmpfs you might have to create that link each time after boot, e.g. somewhere within /etc/init.d/saslauthd

score 3 · Answer 2 · answered Feb 28 '15 at 09:26

3

You could also try to add postfix user to sasl group.

answered Feb 28 '15 at 09:26

Viktor

221
2
2

Yep especially in the case of Kopano `adduser postfix sasl` – Eugene van der Merwe Jun 09 '22 at 12:05

Jim Dennis · Answer 3 · 2014-08-26T03:26:53.393

2

I just encountered a similar issue and ended up working around it using a bind mount from the Postfix chroot jail up into the SASL Auth daemon's preferred path:

mkdir -p     /var/spool/postfix/var/run/saslauthd
chgrp sasl   /var/spool/postfix/var/run/saslauthd
mount --bind /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

I also had to change the permissions slightly to allow Postfix to traverse (-x) into that directory. (I did NOT change the permissions on the Postfix directory /var/spool/postfix) ... that's why I used a bind mount; because changing the Postfix permissions seems likely to cause a lot more trouble than changing the just the "other execute" permission on the saslauthd directory containing its Unix domain socket and PID file).

I'd still welcome a pointer to a better HOWTO on enabling Postfix plus SASLauthd.

Incidentally, though I figured out this workaround on my own, the very next link in Google after this Serverfault entry (for me, at this time) was to this:

https://github.com/webmin/webmin/issues/58

... which is a more detailed description of the problem and solution. Essentially the same as I figured out on my own.

edited Aug 26 '14 at 03:26

answered Aug 26 '14 at 03:18

Jim Dennis

807
1
10
22

Thanks for the tip! I ended up just doing a fresh (re?)install - which worked as expected. I figured it was far faster than the headache of fixing what I had - but I'm sure this would better help anyone else that experiences this issue in the future. – flashbang Aug 26 '14 at 22:24
Important tip after `mount --bind`ing the directory as in the answer (don't like like in other instructions you'll find, `postfix` and/or `saslauthd` are sensitive to permissions here) and adjusting the path in `sasl/smtpd.conf` the messing permission error message of OP might still persist (but for another reason), run `chmod -R +x /var/spool/postfix/var/run/saslauthd/` then (like in 110 % of cases identical error messages for the same problem are non-sense-making nonsense) – Kalle Richter Sep 27 '14 at 04:34
On Ubuntu Xenial, Postfix chroot, all default webmin settings, all I had to do (from the github instructions) was make the only OPTION line in /etc/default/saslauthd read OPTIONS="-c -m /var/run/saslauthd -r" – Gaia Aug 18 '17 at 04:09

Postfix: SASL authentication failure: cannot connect to saslauthd server: Permission denied

3 Answers3