Trac notifications (smtp) and Postfix

Question

I've two separate ubuntu 12.04 servers.

1. Runs Trac (homeserver/Dyndns)
2. Runs postfix (VPS/staticIP)

I configured trac to use TLS and connect to postfix server.

Trac config:

admit_domains =
always_notify_owner = true
always_notify_reporter = true
always_notify_updater = true
ambiguous_char_width = single
email_sender = SmtpEmailSender
ignore_domains =
mime_encoding = base64
sendmail_path = sendmail
smtp_always_bcc =
smtp_always_cc = sandro@weare.de.com
smtp_default_domain =
smtp_enabled = true
smtp_from = trac@weare.de.com
smtp_from_name = Trac
smtp_password = randompassstring==
smtp_port = 587
smtp_replyto = trac@weare.de.com
smtp_server = vps.idev.ge
smtp_subject_prefix = __default__
smtp_user = trac@weare.de.com
ticket_subject_template = $prefix #$ticket.id: $summary
use_public_cc = false
use_short_addr = false
use_tls = true

When I try to send notification, Trac says:

ERROR: Failure sending notification on change to ticket #1: SMTPAuthenticationError: (535, '5.7.8 Error: authentication failed: authentication failure')

Postfix says:

Anonymous TLS connection established from unknown[78.139.167.29]: TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
warning: SASL authentication failure: incorrect digest response
warning: unknown[78.139.167.29]: SASL CRAM-MD5 authentication failed: authentication failure

postconf -n output is

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
delay_warning_time = 4h
disable_vrfy_command = yes
inet_interfaces = all
local_recipient_maps =
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
masquerade_domains = vps.idev.ge www.idev.ge !sub.idev.ge
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
mydestination =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
myorigin = vps.idev.ge
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_helo_timeout = 60s
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_limit = 16
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:::1:10023, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_soft_error_limit = 3
smtpd_tls_CAfile = /etc/apache2/ssl/vps.idev.ge/PositiveSSLCA2.crt
smtpd_tls_cert_file = /etc/apache2/ssl/vps.idev.ge/vps.idev.ge.crt
smtpd_tls_key_file = /etc/apache2/ssl/vps.idev.ge/vps.idev.ge.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_maildir_extended = yes
virtual_maildir_limit_message = Sorry, the user's maildir has no space available in their inbox.
virtual_overquota_bounce = yes
virtual_uid_maps = static:5000

Any thoughts what is happening here?

Answer 1

TEST:

openssl s_client -starttls smtp -crlf -connect vps.idev.ge:587

AUTH PLAIN, AUTH LOGIN was working fine. It appears CRAM-MD5 and DIGEST-MD5 are not functioning correctly.

Trac seeing better methods was trying to use them, but faild. In trac there is no fallback mechanism.

Temporary fix in /etc/postfix/sasl/smtpd.con

#mech_list: plain login cram-md5 digest-md5
mech_list: plain login

Obviously this is not a good solution. Good one would be to fix CRAM-MD5 and DIGEST-MD5. But this will do temporarily.