Postfix TLS Error

Question

I'm working with a Postfix/Dovecot/Roundcube setup, aiming for a virtual user mail system that can send mail through the internet, as documented here.

Everything seems to work well; Dovecote shows no problems, I can telnet into all of my ports; however, whenever I try to send mail through Roundcube I get the error:

SMTP Error (220): Authentication failed.

And from the logs:

[17-Jan-2015 05:27:31 +0000]: SMTP Error: SMTP error: Authentication failure: STARTTLS failed (Code: ) in /usr/share/webapps/roundcubemail/program/lib/Roundcube/rcube.php on line 1505 (POST /roundcube/?_task=mail&_unlock=loading1421472451594&_lang=en_US&_framed=1?_task=mail&_action=send)

I figured since Postfix is responsible for SMTP, it must be the culprit. In my Postfix logs I'm seeing:

Jan 16 21:14:35 steelhorse postfix/smtpd[18426]: disconnect from localhost.localdomain[127.0.0.1]
Jan 16 21:14:35 steelhorse postfix/smtpd[18426]: lost connection after STARTTLS from localhost.localdomain[127.0.0.1]
Jan 16 21:14:35 steelhorse postfix/smtpd[18426]: warning: TLS library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1293:SSL alert number
Jan 16 21:14:35 steelhorse postfix/smtpd[18426]: SSL_accept error from localhost.localdomain[127.0.0.1]: 0

My SSL certificate is signed with localhost as the CN as that fixed a different issue I was having. Postfix was set with the $myhostname parameter to be mail.[mydomain] and using Afraid DynDNS I set an A record for mail.mydomain as well as an MX record that went like 1:mail.[mydomain]. I tried setting these all to just [mydomain] and it didn't work. A telnet sessions looks like this:

telnet [mydomain] 587
Trying [myip]...
Connected to [mydomain].
Escape character is '^]'.
220 [mydomain] ESMTP Postfix
ehlo [mydomain]
250-[mydomain]
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

My Postfix main.cf (Not including most of the default lines):

#soft_bounce = no
queue_directory = /var/spool/postfix
command_directory = /usr/bin
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
#default_privs = nobody
myhostname = [mydomain]
#myhostname = virtual.domain.tld
mydomain = [mydomain]
#myorigin = $myhostname
myorigin = $mydomain
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
#mydestination = $myhostname, localhost.$mydomain, localhost
...
#local_recipient_maps = unix:passwd.byname $alias_maps
unknown_local_recipient_reject_code = 550
#mynetworks_style = class
#mynetworks_style = subnet
mynetworks_style = host
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
#relay_domains = $mydestination
#relayhost = $mydomain
...
relay_domains = *
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_mailbox_base = /home/vmail
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 5000
virtual_transport = virtual
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps
transport_maps = hash:/etc/postfix/transport

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,     reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/private/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = yes
smtpd_tls_loglevel = 1

I've also tried setting the Roundcube smtp_conn_options to null as per here. I'm really not sure if the issues lies in the DNS records, the SSL cert or what. Any and all help would be appreciated!

UPDATE

After setting my Roundcube conf.inc.php to verify_peer(_name) = false

/* Local configuration for Roundcube Webmail */
$config['db_dsnw'] = 'mysql://roundcube_user:steelcube@localhost/roundcube_db';
$config['default_host'] = 'ssl://localhost/';
$config['default_port'] = 993;
$config['smtp_server'] = 'tls://localhost/';
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['smtp_auth_type'] = 'LOGIN';
$config['smtp_conn_options'] = null;
$config['imap_conn_options'] = array(
  'ssl'         => array(
     'verify_peer'  => false,
     'verfify_peer_name' => false,
   ),
);
$config['smtp_conn_options'] = array(
  'ssl'         => array(
     'verify_peer'      => false,
     'verify_peer_name' => false,
  ),
);

$config['smtp_port'] = 587;
$config['support_url'] = '';
$config['des_key'] = '[secret]';
$config['plugins'] = array('archive', 'zipdownload');
$config['mime_types'] = '/etc/httpd/conf/mime.types';

This gives me new the error SMTP Error (535): Authentication failed when send email. Here the content of roundcube error

[18-Jan-2015 02:58:06 UTC] PHP Deprecated:  Non-static method PEAR::raiseError() should not be called statically, assuming $this from incompatible context in /usr/share/webapps/roundcubemail/program/lib/Net/SMTP.php on line 371
[18-Jan-2015 02:58:06 UTC] PHP Deprecated:  Non-static method PEAR::raiseError() should not be called statically, assuming $this from incompatible context in /usr/share/webapps//roundcubemail/program/lib/Net/SMTP.php on line 371
[18-Jan-2015 02:58:06 +0000]: SMTP Error: SMTP error: Failed to set sender /roundcubemail/program/lib/Net/SMTP.php on line 371'[username]@[mydomain]' in /usr/share/webapps/roundcubemail/program/lib/Roundcube/rcube.php on line 1505 (POST /roundcube/?_task=mail&_unlock=loading1421549886598&_lang=en_US&_framed=1?_task=mail&_action=send)

And maillog entry

Jan 18 20:18:21 steelhorse postfix/smtpd[1942]: connect from localhost.localdomain[127.0.0.1]
Jan 18 20:18:21 steelhorse postfix/smtpd[1942]: Anonymous TLS connection established from localhost.localdomain[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128    
Jan 18 20:18:21 steelhorse postfix/smtpd[1942]: warning: localhost.localdomain[127.0.0.1]: SASL LOGIN authentication failed: Invalid authentication mechanism
Jan 18 20:18:21 steelhorse postfix/smtpd[1942]: disconnect from localhost.localdomain[127.0.0.1]

As requested in chat, this is the output of dovecot -a | grep auth_mechanism

auth_mechanisms = plain 

Answer 1

OK looks like there are too many mismatch in your postfix, roundcube and dovecot configuration. Let's break it down one by one.

STARTTLS error

This log line

warning: TLS library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1293:SSL alert number 

indicated that PHP fails to verify peer certificate because unknown CA. This is exact duplicate problem with this question: Roundcube & Postfix SMTP: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c. And from the question you already solves it by add these lines in roundcube

$config['smtp_conn_options'] = array(
  'ssl'         => array(
     'verify_peer'      => false,
     'verify_peer_name' => false,
  ),
);

Authentication failed error

To do this, we must look in postfix and roundcube logs to identify the problem. The real message was captured in postfix log file

Jan 18 20:18:21 steelhorse postfix/smtpd[1942]: warning: localhost.localdomain[127.0.0.1]: SASL LOGIN authentication failed: Invalid authentication mechanism

Now because the postfix SASL mechanism was provided by dovecot then you should check the mechanism that dovecot offer by run dovecot -a | grep auth_mechanism.

By looking to roundcube $config['smtp_auth_type'] and dovecot auth_mechanisms config, you can see a mismatch between these two. Dovecot only offer PLAIN mechanism. But the roundcube was configure to use LOGIN mechanism.

Solution can be one or both of these

• Offering LOGIN mechanism from dovecot side by adding

  auth_mechanisms = plain login
  

  in dovecot config.

• Set PLAIN login to roundcube side by change the parameter to

  $config['smtp_auth_type'] = 'PLAIN';
  

Answer 2

You can also solve this problem, producing a fullchain. After you have a correct fullchain, add the fullchain to:

etc/postfix/main.cf

smtpd_tls_cert_file = /etc/ssl/certs/some-cert-file-with-fullchain.crt

Producing a fullchain can be done by adding the cert over an chain-bundle.

No need to change somethgin roundcube config.

The fullchain also will solve login problems in dovecot.