Postfix authentication failure, can't send email out
postfix/smtp[3386]: connect to gmail-smtp-in.l.google.com[2607:f8b0:4001:c11::1a]:25: Network is unreachable
This is a hint that IPv6 is attempted, but not available. It looks like your computer believes it has IPv6-connectivity, while it in reality does not have it. You should probably try to disable IPv6 completely:
Add the following lines to /etc/sysctl.conf
:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
and reboot. This will disable IPv6, forcing you to use IPv4. Then try sending the e-mail again.
Furthermore, postfix will accept mail without authentication, but if the destination is not one of the domains it is configured for, it will reject it, as it does not allow relaying e-mail in your configuration. This is important! An open relay will instantly be turned into a spam source...
This is configured with the line
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
Regarding the authentication failure, this is probably because the login method auth login
is not a valid sasl authentication mechanism for your configuration. You're probably looking for auth plain
. Try login from a e-mail client like thunderbird, which supports most authentication protocols.
Related videos on Youtube
Yida Zhang
Updated on September 18, 2022Comments
-
Yida Zhang over 1 year
I was trying to set up my postfix email server and got the following errors when using the command "auth login" in the telnet session with my postfix service:
535 5.7.8 Error: authentication failed: generic failure
warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
I've followed the link below to set up the service.
How To Install and Configure Postfix on Ubuntu 16.04I've created 2 users, "postmaster" and "yida" in my computer. "postmaster" could not receive any email using the s-nail mail but could send to "yida", while "yida" could send and receive email but only to and from local user, like "postmaster".
The mail log has the following problem:
postfix/smtp[3386]: connect to gmail-smtp-in.l.google.com[2607:f8b0:4001:c11::1a]:25: Network is unreachable
This happens when I tried to send email to my own gmail account.The interesting thing was that I gave up in the authentication and continued to type "mail from" command in my testing telnet session and the server gave me an "OK" response. Looks like Postfix was not requiring authentication.
Please see below the related files:
/etc/postfix/master.cf
# Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - y - - smtpd #smtp inet n - y - 1 postscreen #smtpd pass - - y - - smtpd #dnsblog unix - - y - 0 dnsblog #tlsproxy unix - - y - 0 tlsproxy #submission inet n - y - - smtpd -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - y - - smtpd -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
/etc/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = server.sample.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = $myhostname, sample.com, server.sample.com, localhost.sample.com, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all home_mailbox = Maildir/ virtual_alias_maps = hash:/etc/postfix/virtual # SASL SUPPORT FOR CLIENTS # # The following options set parameters needed by Postfix to enable # Cyrus-SASL support for authentication of mail clients. smtpd_sasl_path = smtpd smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains compatibility_level = 2
/etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd mech_list: plain login
/etc/s-nail.rc
#@ s-nail.rc #@ Configuration file for S-nail(1) v14.8.6 # S-nail(1): v14.8.6 / 2015-12-28 ## The standard POSIX 2008/Cor 1-2013 mandates the following initial settings: # (Keep in sync: ./main.c:_startup(), ./nail.rc, ./nail.1:"Initial settings"!) # [a] noallnet, noappend, asksub, noaskbcc, noaskcc, noautoprint, # [b-e] nobang, nocmd, nocrt, nodebug, nodot, escape="~", # [f-i] noflipr, nofolder, header, nohold, noignore, noignoreeof, # [j-o] nokeep, nokeepsave, nometoo, nooutfolder, # [p-r] nopage, prompt="? ", noquiet, norecord, # [s] save, nosendwait, noshowto, nosign, noSign, # [t-z] toplines="5" # Notes: # - no*onehop* doesn't exist in this implementation. # (To pass options through to an MTA, either add them after a "--" separator # on the command line or by setting the *sendmail-arguments* variable.) # - *prompt* is "\\& " by default, which will act POSIX-compliant # unless the user would set *bsdcompat* ## The remaining content adjusts the standard-imposed default settings. # Note that some of the following flags are specific to S-nail(1) and may thus # not work with other Mail(1) / mailx(1) programs. # Entries are marked [OPTION] if their availability is compile-time dependent ## Variables # If threaded mode is activated, automatically collapse thread set autocollapse # Enter threaded mode automatically #set autosort=thread # Append rather than prepend when writing to mbox automatically. # This has no effect unless *hold* is unset (it is set below) set append # Ask for a message subject. set ask # *bsdannounce* prints a header summary on folder change and thus complements # *header* on a per-folder basis (it is meaningless unless *header* is set) set bsdannounce # Uncomment this in order to get coloured output in $PAGER. # (Coloured output is only used if $TERM is either found in *colour-terms* # or includes the string "color") #set colour-pager # Assume a CRT-like terminal and invoke a $PAGER set crt # Define date display in header summary #set datefield="%R %m-%d" datefield-markout-older=" %g-%m-%d" # When composing messages a line consisting of `.' finalizes a message set dot # Immediately start $EDITOR (or $VISUAL) when composing a message #set editalong # Startup into interactive mode even if the (given) mailbox is empty #set emptystart # When replying to or forwarding a message the comment and name parts of email # addresses are removed unless this variable is set. #set fullnames # [OPTION] Add more entries to the history as is done by default set history-gabby # Do not forward to mbox by default since this is likely to be # irritating for most users today; also see *keepsave* set hold # Quote the original message in replies by "> " as usual on the Internet set indentprefix="> " # Mark messages that have been answered set markanswered # Try to circumvent false or missing MIME Content-Type descriptions # (Can be set to values for extended behaviour, please see the manual.) set mime-counter-evidence # Control loading of mime.types(5) file: the value may be a combination of the # letters "s" and "u": if "u" is seen ~/.mime.types will be loaded if possible; # "s" adds /etc/mime.types, if available; setting this without any value uses # only a set of builtin mimetypes; the default behaviour equals "us". # An extended syntax that allows loading of other, specified files is available # if the value contains an equal sign "=", see the manual for more #set mimetypes-load-control # Do not remove empty mail folders. # This may be relevant for privacy since other users could otherwise create # them with different permissions set keep # Do not move `save'd or `write'n message to mbox by default since this is # likely to be irritating for most users today; also see *hold* set keepsave # When writing mailbox files we strip Content-Length: and Lines: header fields # from edited / changed messages, because S-nail doesn't deal with these # (non-standard) fields -- and since other MUAs may rely on their content, if # present, it seems more useful to strip them than to keep them, now that they # became invalid; set this to include them nonetheless #set keep-content-length # A nice prompt for ISO 6429/ECMA-48 terminals #set prompt="\033[31m?\?[\$ \@]\& \033[0m" # Automatically quote the text of the message that is responded to set quote # On group replies, specify only the sender of the original mail in To: and # mention it's other recipients in the secondary Cc: instead of placing them # all together in To: set recipients-in-cc # When responding to a message, try to answer in the same character set #set reply-in-same-charset # [OPTION] Outgoing messages are sent in UTF-8 if possible, otherwise LATIN1. # Note: it is highly advisable to read the section "Character sets" of the # manual in order to understand all the possibilities that exist to fine-tune # charset usage (variables also of interest: *ttycharset*, *charset-8bit*, # *sendcharsets-else-ttycharset*; and of course we inherit the $LC_CTYPE / # $LC_ALL / $LANG environment variables and react upon them) set sendcharsets=utf-8,iso-8859-1 # When sending a message wait until the MTA (including the builtin SMTP one) # exits before accepting further commands. Only with this variable set errors # reported by the MTA will be recognizable! #set sendwait # Display real sender names in header summaries instead of only addresses set showname # Show recipients of messages sent by the user himself in header summaries set showto ## Commands # Only include these selected header fields when forwarding messages fwdretain subject date from to # Only include the selected header fields when printing messages retain date from to cc subject message-id mail-followup-to reply-to ## Some pipe-TYPE/SUBTYPE entries # HTML as text, inline display via lynx(1) #if $features !@ HTML-FILTER # set pipe-text/html="lynx -stdin -dump -force_html" #endif # PDF display, asynchronous display via xpdf(1) #set pipe-application/pdf="@&set -C;\ # : > \"${TMPDIR}/${NAIL_FILENAME_GENERATED}\";\ # trap \"rm -f \\\"${TMPDIR}/${NAIL_FILENAME_GENERATED}\\\"\" \ # EXIT INT QUIT PIPE TERM;\ # set +C;\ # cat > \"${TMPDIR}/${NAIL_FILENAME_GENERATED}\";\ # xpdf \"${TMPDIR}/${NAIL_FILENAME_GENERATED}\"" # s-it-mode #Added according to docs found in internet. set emptystart set folder=Maildir set record=+sent
/etc/default/saslauthd
# # Settings for saslauthd daemon # Please read /usr/share/doc/sasl2-bin/README.Debian for details. # # Should saslauthd run automatically on startup? (default: no) START=yes # Description of this saslauthd instance. Recommended. # (suggestion: SASL Authentication Daemon) DESC="SASL Authentication Daemon" # Short name of this saslauthd instance. Strongly recommended. # (suggestion: saslauthd) NAME="saslauthd" # Which authentication mechanisms should saslauthd use? (default: pam) # # Available options in this Debian package: # getpwent -- use the getpwent() library function # kerberos5 -- use Kerberos 5 # pam -- use PAM # rimap -- use a remote IMAP server # shadow -- use the local shadow password file # sasldb -- use the local sasldb database file # ldap -- use LDAP (configuration is in /etc/saslauthd.conf) # # Only one option may be used at a time. See the saslauthd man page # for more information. # # Example: MECHANISMS="pam" MECHANISMS="shadow" # Additional options for this mechanism. (default: none) # See the saslauthd man page for information about mech-specific options. MECH_OPTIONS="" # How many saslauthd processes should we run? (default: 5) # A value of 0 will fork a new process for each connection. THREADS=5 # Other options (default: -c -m /var/run/saslauthd) # Note: You MUST specify the -m option or saslauthd won't run! # # WARNING: DO NOT SPECIFY THE -d OPTION. # The -d option will cause saslauthd to run in the foreground instead of as # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish # to run saslauthd in debug mode, please run it by hand to be safe. # # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. # See the saslauthd man page and the output of 'saslauthd -h' for general # information about these options. # # Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" # Example for non-chroot Postfix users: "-c -m /var/run/saslauthd" # # To know if your Postfix is running chroot, check /etc/postfix/master.cf. # If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd" # then your Postfix is running in a chroot. # If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT # running in a chroot. OPTIONS="-c -m /var/run/saslauthd"
I would like to achieve two things: 1. Make the "auth login" work correctly. 2. Make both user be able to send email to out side, like to my gmail account. Thanks for the help in advance.
-
Yida Zhang about 6 yearsWhat did you mean by "App Password"? I suppose you mean that I need to give google server address, my account name and password before I could send out mail using my Gmail account? This is not what I'm looking for and I know this already. The log I've shown there was created when I tried to send an email to my [email protected] email address from the user "yida". I'm not trying to send out email using my Gmail account. Hope this clarify the situation. Thanks for your comment.
-
Yida Zhang about 6 yearsI'm using the postfix software I've installed in this server.sample.com computer as my SMTP carrier. In other words, I'm trying to be my own SMTP provider.
-
Terrance about 6 yearsRun 2 terminal windows. 1 is running
tail -f /var/log/mail.log
and in the other try testing your outgoing mail. Watch the log output. Chances are you are timing out on some connection further up the line due to norelayhost =
being configured in your mail.cf file. -
Yida Zhang almost 6 yearsOK. The reasons for the time out has been identified: first, I enabled IPV6 in my LAN but my ISP does not provide IPV6 service, so I could not connect to the IPV6 address of gmail SMTP server. Second, my ISP disabled the port 25 traffic, both inbound and outbound. I changed the main.cf to say "inet_protocols = ipv4" and fixed the first problem. But for the second problem, I'm speechless.
-
Yida Zhang almost 6 yearsCould you please tell me how to setup the "relayhost = " option? And I'm also wondering if there is anything I could do to use SSL port instead of 25 while trying to relay my email.
-
Terrance almost 6 yearsIf you don't want your email showing from
@gmail.com
which is free to setup, then you will need to create a domain through a service that will allow you to have your own@yourdomain.com
email address. Something like the Google Domains domains.google/# This will allow you to configure your email server to use their relayhosts on port 587. I have not found anyway to get around something like this due to the blocking of spam on most services now. It used to be that you could create your own without any problems, but too many people abused it. -
Yida Zhang almost 6 yearsThank you very much for sharing the information with me. I'll investigate and try a little more about it before I should decide to give up.
-
Yida Zhang almost 6 yearsJust one more comment here. I've set up my postfix to relay to a host we rent from a hosting company and having smtp service on port 587. In this way, I was able to keep my own domain name in the "from" address. Thank you very much for your help. I would not have been able to solve the problem without you.
-
Terrance almost 6 yearsNice! Glad that you got it working! =)
-
-
Yida Zhang almost 6 yearsGood point and good observation. Thank you very much for sorting that out for me. I've changed the main.cf file to say "inet_protocols = ipv4" and postfix seem to use ivp4 to search for gmail server now. But still, it gives me problem. Now the email sending log reads "connect to gmail-smtp-in.l.google.com[173.194.194.26]:25: Connection timed out"
-
Yida Zhang almost 6 yearsAnd the plain authorization failed, as well. In the mail.log file, it complains "cannot connect to saslauthd server: No such file or directory". But when I tried to run the command "saslauthd -a shadow" again, I got the information as "Another instance of saslauthd is currently running". Could you please help me further in this? Thanks.
-
vidarlo almost 6 yearsThe fact that it times out points in the direction of @Terrance comments, and you will probably need a relay host on a port different from 25 to send e-mail, or talk with your ISP to verify that port 25 is open for outgoing connections. Regarding your question about saslauth, edit your question to include the Cyrus SASL configuration. It should include the path to a listener at
/var/spool/postfix/smtpd
-
Yida Zhang almost 6 yearsOK, as a matter of fact, my ISP blocks port 25 traffics, both inbound and outbound. That's why I still could not send email to my gmail account. I've posted the configuration file for Cyrus SASL, that's the saslauthd file in the post. The path it uses is "/var/run/saslauthd", so I've updated the smtpd.conf file using the same path. But still the same error when doing the auth plain and auth login.
-
Yida Zhang almost 6 yearsI also tried to connect using opera mail (another MUA under windows) but failed in authentication while trying to send mail out. Same error message displayed as "authentication failed: generic failure".
-
Yida Zhang almost 6 yearsIs there a way that I can set up POSTFIX so that it will try to relay emails using another port rather than 25? Say using the port 465?
-
vidarlo almost 6 yearsCan you try changing the sasl path in saslauthd file to /var/spool/postfix/smtpd?
-
Yida Zhang almost 6 yearsWow, that's where the problem lies. I opened the file /etc/default/saslauthd and found out that the last line should be set as 'OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"' since my Postfix was running on chroot mode. I changed this line, put the path in the smtpd.conf file and restarted saslauthd and postfix. Everything then works fine. Thank you very much.
-
Yida Zhang almost 6 yearsSince the problem of Sasl authentication has been solved, and it was my ISP who was the reason why I could not send email out, I'm considering this question is solved. Thank you very much.