On Sat, Jun 25, 2011 at 07:25:31AM -0400, Jerry wrote: Hi,
> Please read: http://www.postfix.com/DEBUG_README.html > In particular section: Reporting problems to postfix-users@postfix.org > Recommended: [..] > If the problem is SASL related, consider including the output from the > saslfinger tool. This can be found at > http://postfix.state-of-mind.de/patrick.koetter/saslfinger/. Yeah, I saw that minutes after posting. saslfinger outputs no mechanisms: -- mechanisms on n...@example.org -- -- mechanisms on [smarthost.example.org] -- And indeed, using directly nc: $ nc example.org 25 EHLO computer.private 250-smarthost.example.org 250-PIPELINING 250-SIZE 202400000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME AUTH is missing ... Perhaps it is only available after STARTTLS?!? $ openssl s_client -connect smarthost.example.org:25 -starttls smtp [..] 250 DSN EHLO lenovo.private 250-smarthost.example.org [..] 250-AUTH PLAIN LOGIN [..] Yes, sasl authentication is only available after STARTTLS. Thus, adding smtp_use_tls = yes to main.cf fixes the issue for me. In this situation smtp_tls_security_level also would makes sense, I guess. May I suggest a few things? 1) Adding a pointer to saslfinger to http://www.postfix.org/SASL_README.html 2) a) Adding an AUTH test with openssl ... -starttls to the saslfinger script. b) Fixing saslfinger such that is does not try to connect to email addresses (or [host] names) and understands a relayhost map? c) Fixing saslfinger such that it prints a warning if no mechanisms are found 3) Making the postfinger and saslfinger scripts available from a checksummed version control repository (e.g. git/mercurial). Best regards Georg
