Postfix TLS authentication not enabled

postfix tls

11,351

Solution 1

You might have added smtpd_tls_auth_only=yes onto your main.cf ?

This option enables that authentication occurs only after tls is set up.

Therefore if you telnet to your smtp port then issue an auth command you will get that not enabled error since it is still not a tls connection at this time.

Solution 2

As you don't see anything in your postfix log, at least postfix must be configured incorrectly.

First, confirm that Dovecot is configured (in dovecot.conf) with something like:

auth default {
    mechanisms = plain login
    passdb pam {
    }
    userdb passwd {
    }
    user = root
    socket listen {
      client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = postfix
        group = postfix
      }
    }
}

Confirm the following in your postfix main.cf:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated`

and in master.cf, make sure that your submission port offers the SASL service. You can put this in your smtp service for auth on port 25, but this is unusual. You should also put it in your smtps service for encrypted access:

submission inet n - - - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

Solution 3

There are two different things.

1: SSL/TLS support

2: authentication

They are independent, i.e. it is possible to have one of them, without the other. Of course it is much better, if authentication happens only over an already encrypted channel.

Probably your postfix doesn't have the second one (the auth), only TLS.

Authentication on postfix happens through the sasl authentication daemon, which also needs to be configured.

mxtoolbox says everything is O.K., because it doesn't check the auth, only the encryption.

11,351

Frank Astin

Updated on September 18, 2022

Comments

Frank Astin over 1 year

I've set up a mail server according to this guide.

When I telnet mydomain.com 25 and use the AUTH command it returns:

Error: authentication not enabled

Trying to login via outlook returns an unknown error and when I send an e-mail to an adress I get an relay access denied error.

However, mxtoolbox tells me everything is set up ok.
- user9517 over 10 years
  
  If you have checked through the linked document and are sure you have followed it correctly then you should contact it's author and help them correct it.
Frank Astin over 10 years

I'm using dovecots tls support and smtp_sasl_auth_enable = yes in the postfix config
peterh over 10 years

And this: smtpd_sasl_path = smtpd?
Frank Astin over 10 years

it's set to smtpd_sasl_path = private/auth
Frank Astin over 10 years

How do I debug this? I can't find anything in the mail log.
peterh over 10 years

Then you need to debug, what happens between sasl and postfix. Last time I did this, it wasn't simple. First you need be sure, that sasl is ok. You said, you have a dovecot, and that it works, thus it is probable. Sasl is communicating with dovecot through a unix pipe, so you need strace them, watching what they communicate through this pipe, and also checking the sasld log.
Frank Astin over 10 years

I don't get anything when I try to telnet to 587 .
Michael Hampton over 10 years

Then you have seriously screwed up your configuration somehow. Post your master.cf and check your firewall.
Quetza over 10 years

Authenticated outgoing email can be done on port 25, it's just quite common to only do it on the submission port which is 587. But there is no RFC or other requirement to have it only on port 25.
peterh over 10 years

Yes, everything can be done on port 25 after a STARTTLS command, just as on port 587. There is a third port number, it is 467(?), on this only SSL communication can go. It is effectively the SMTP version of HTTPS. But these port numbers are about encryption, and not about authentication. Authentication can be done on SMTP many years ago, and it can happen over encrypted and just as on unencrypted channel. It is only our wish, that we (as sysadms) don't want authentication on unencrypted channel because security, theoretically it were possible.
redochka over 6 years

enabling postfix verbose logging and setting smtpd_tls_auth_only = no helped fix my problem.