On Wed, Jun 22, 2022 at 04:50:10PM -0300, Luc GMail wrote:
> Many thanks for the replies I've got so far. They helped, and now I
> have postfix running with SASL, and both ports 587 and 465 answer on
> telnet. But I still can't authenticate:
>
> telnet localhost 25
> 220 server.mydomain.net ESMTP Postfix (Debian/GNU)
> AUTH LOGIN
> 334 VXNlcm5hbWU6
> c29tZXVzZXI=
(someuser)
> 334 UGFzc3dvcmQ6
> c29tZXBhc3M=
(somepass)
> 454 4.7.0 Temporary authentication failure: generic failure
If those are "real" credentials, make sure they're disabled before you
get SASL working, otherwise they're liable to get abused.
As for why authentication is failing, is "saslauthd" actually installed
and running with a sensible backend (e.g. "-a pam") specified?.
> echo 'pwcheck_method: saslauthd' > /etc/postfix/sasl/smtpd.conf
> echo 'mech_list: plain login CRAM-MD5 DIGEST-MD5' >>
> /etc/postfix/sasl/smtpd.conf
Though case should not matter, "by the book" that should be "PLAIN LOGIN ..."
> usermod -a -G sasl postfix
The need for this is platform-dependent, only do this if required on
your OS, look at the ownership and permissions of the saslauthd mux
socket and its containing directory.
> smtpd_sasl_type = cyrus
> smtpd_sasl_path = smtpd
These look OK, but You really should have in main.cf:
smtpd_tls_auth_only = yes
smtpd_sasl_auth_enable = no
and then (as you do) enable SASL only for the submission servers in
master.cf, for which TLS is required. Your test with then be via:
openssl s_client -starttls smtp -connect localhost:587
or some other means to connect via TLS.
--
Viktor.
