Loading ...
Sorry, an error occurred while loading the content.

warning:xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms

Expand Messages
  • jugree@lavabit.com
    Hello. I m getting `warning:xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms (/var/log/mail.log) and `fatal: no SASL authentication
    Message 1 of 13 , Dec 5, 2012
    • 0 Attachment
      Hello.

      I'm getting `warning:xsasl_cyrus_server_get_mechanism_list: no
      applicable SASL mechanisms' (/var/log/mail.log) and `fatal: no SASL
      authentication mechanisms' (/var/log/mail.err) in Debian Squeeze.

      Installed:

      postfix: 2.7.1-1+squeeze1
      libsasl2-2: 2.1.23.dfsg1-7
      libsasl2-modules: 2.1.23.dfsg1-7
      sasl2-bin: 2.1.23.dfsg1-7

      What can I do to fix this?

      There is a related bug report:
      http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/2011-August/002198.html

      I've already asked here:
      http://lists.debian.org/debian-user/2012/12/msg00172.html
    • Wietse Venema
      ... Consider reading Postfix documentation. The error message is described there. http://www.postfix.org/SASL_README.html. Wietse
      Message 2 of 13 , Dec 5, 2012
      • 0 Attachment
        jugree@...:
        > Hello.
        >
        > I'm getting `warning:xsasl_cyrus_server_get_mechanism_list: no
        > applicable SASL mechanisms' (/var/log/mail.log) and `fatal: no SASL
        > authentication mechanisms' (/var/log/mail.err) in Debian Squeeze.
        >
        > Installed:
        >
        > postfix: 2.7.1-1+squeeze1
        > libsasl2-2: 2.1.23.dfsg1-7
        > libsasl2-modules: 2.1.23.dfsg1-7
        > sasl2-bin: 2.1.23.dfsg1-7
        >
        > What can I do to fix this?

        Consider reading Postfix documentation.
        The error message is described there.

        http://www.postfix.org/SASL_README.html.

        Wietse
      • Bill Cole
        ... While the Postfix documentation Dr. Venema referred to has the necessary clues, you can find Debian-specific ones in the full Debian bug record and those
        Message 3 of 13 , Dec 5, 2012
        • 0 Attachment
          On 5 Dec 2012, at 14:27, jugree@... wrote:

          > Hello.
          >
          > I'm getting `warning:xsasl_cyrus_server_get_mechanism_list: no
          > applicable SASL mechanisms' (/var/log/mail.log) and `fatal: no SASL
          > authentication mechanisms' (/var/log/mail.err) in Debian Squeeze.
          >
          > Installed:
          >
          > postfix: 2.7.1-1+squeeze1
          > libsasl2-2: 2.1.23.dfsg1-7
          > libsasl2-modules: 2.1.23.dfsg1-7
          > sasl2-bin: 2.1.23.dfsg1-7
          >
          > What can I do to fix this?
          >
          > There is a related bug report:
          > http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/2011-August/002198.html

          While the Postfix documentation Dr. Venema referred to has the necessary
          clues, you can find Debian-specific ones in the full Debian bug record
          and those clues may be more immediately useful if you don't want to
          build Postfix from the pristine source:
          http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638045

          If I'm reading that correctly, a direct fix would be to update to
          version 2.8.4-1 (or later) of the Debian Postfix package, released
          2011-08-20.
        • jugree@lavabit.com
          ... I haven t found it. Could you paste it? ... Will it solve the problem if I switch to Dovecot SASL?
          Message 4 of 13 , Dec 5, 2012
          • 0 Attachment
            > Consider reading Postfix documentation.
            > The error message is described there.

            I haven't found it. Could you paste it?

            > While the Postfix documentation Dr. Venema referred to has the necessary
            > clues, you can find Debian-specific ones in the full Debian bug record
            > and those clues may be more immediately useful if you don't want to
            > build Postfix from the pristine source:
            > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638045

            Will it solve the problem if I switch to Dovecot SASL?
          • Reindl Harald
            ... if you are already using dovecot - yes! this way you have one single instance for login on smtpd and imap/pop3 which also would reflect settings like below
            Message 5 of 13 , Dec 5, 2012
            • 0 Attachment
              Am 05.12.2012 22:02, schrieb jugree@...:
              >> Consider reading Postfix documentation.
              >> The error message is described there.
              >
              > I haven't found it. Could you paste it?
              >
              >> While the Postfix documentation Dr. Venema referred to has the necessary
              >> clues, you can find Debian-specific ones in the full Debian bug record
              >> and those clues may be more immediately useful if you don't want to
              >> build Postfix from the pristine source:
              >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638045
              >
              > Will it solve the problem if I switch to Dovecot SASL?

              if you are already using dovecot - yes!

              this way you have one single instance for login on smtpd
              and imap/pop3 which also would reflect settings like below
              which saved my life due migration to linux from OSX EIMS
              because there where tons of user with % instead @ in their
              configuration and to be 100% sure i also forced usernames
              to lowercase independent of the input

              auth_username_translation = %@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
            • Glenn English
              ... I ve been using the Dovecot SASL option for several years on Debian Lenny and Squeeze, largely because figuring out Cyrus looked like too much work, and it
              Message 6 of 13 , Dec 5, 2012
              • 0 Attachment
                On Dec 5, 2012, at 2:02 PM, jugree@... wrote:

                > Will it solve the problem if I switch to Dovecot SASL?

                I've been using the Dovecot SASL option for several years on Debian Lenny and Squeeze, largely because figuring out Cyrus looked like too much work, and it was simple and quick to set up. It's worked flawlessly.

                Thanks, Weitse, for the option.

                --
                Glenn English
              • Wietse Venema
                ... Well there is at least one section that covers not found or missing authentication mechanisms. The problem is a mis-match between
                Message 7 of 13 , Dec 5, 2012
                • 0 Attachment
                  jugree@...:
                  > > Consider reading Postfix documentation.
                  > > The error message is described there.
                  >
                  > I haven't found it. Could you paste it?

                  Well there is at least one section that covers "not found" or
                  "missing" authentication mechanisms.

                  The problem is a mis-match between smtpd_sasl_security_options
                  (e.g., noplaintext) and the available server mechanisms (e.g.,
                  plaintext only).

                  Wietse
                • jugree@lavabit.com
                  ... I ve configured UNIX-domain socket communication, enabled SASL authentication and authorization(0), but I m still getting `fatal: no SASL authentication
                  Message 8 of 13 , Dec 5, 2012
                  • 0 Attachment
                    > The problem is a mis-match between smtpd_sasl_security_options
                    > (e.g., noplaintext) and the available server mechanisms (e.g.,
                    > plaintext only).

                    I've configured UNIX-domain socket communication, enabled SASL
                    authentication and authorization(0), but I'm still getting `fatal: no
                    SASL authentication mechanisms'.

                    Is it connected with my configuration? Is it connected with the
                    version of Postfix?

                    dovecot.conf:
                    mechanisms = plain

                    main.cf:
                    smtpd_sasl_security_options = noanonymous, noplaintext

                    AFAICT, it can't be connected with `noplaintext' because it `allows
                    plaintext mechanisms, but only over a TLS-encrypted connection'(1).

                    # postconf -a
                    cyrus
                    dovecot

                    (0) http://www.postfix.org/SASL_README.html#server_dovecot_comm
                    (1) http://www.postfix.org/SASL_README.html#smtpd_sasl_security_options
                  • Noel Jones
                    ... If you re using dovecot now, make sure you set in main.cf smtpd_sasl_type = dovecot Make sure postconf -n output contains the settings you expect! ...
                    Message 9 of 13 , Dec 5, 2012
                    • 0 Attachment
                      On 12/5/2012 7:23 PM, jugree@... wrote:
                      >> The problem is a mis-match between smtpd_sasl_security_options
                      >> (e.g., noplaintext) and the available server mechanisms (e.g.,
                      >> plaintext only).
                      >
                      > I've configured UNIX-domain socket communication, enabled SASL
                      > authentication and authorization(0), but I'm still getting `fatal: no
                      > SASL authentication mechanisms'.
                      >
                      > Is it connected with my configuration? Is it connected with the
                      > version of Postfix?
                      >
                      > dovecot.conf:
                      > mechanisms = plain

                      If you're using dovecot now, make sure you set in main.cf
                      smtpd_sasl_type = dovecot

                      Make sure "postconf -n" output contains the settings you expect!


                      >
                      > main.cf:
                      > smtpd_sasl_security_options = noanonymous, noplaintext

                      Well there's the problem. Postfix says noplaintext but dovecot only
                      has PLAIN.

                      >
                      > AFAICT, it can't be connected with `noplaintext' because it `allows
                      > plaintext mechanisms, but only over a TLS-encrypted connection'(1).

                      For the above statement to be true, you need both
                      smtpd_sasl_security_options = noanonymous, noplaintext
                      smtpd_sasl_tls_security_options = noanonymous

                      and for the above to /work/ dovecot needs to offer a non-plaintext
                      mechanism, such as CRAM-MD5.

                      I would strongly suggest removing the "noplaintext" keyword during
                      testing.



                      -- Noel Jones
                    • jugree@lavabit.com
                      ... Can it be used on a regular basis (i.e., not just for testing)? Will it be better to enable a non-plaintext mechanism? Which one is the best? (I haven t
                      Message 10 of 13 , Dec 6, 2012
                      • 0 Attachment
                        > and for the above to /work/ dovecot needs to offer a non-plaintext
                        > mechanism, such as CRAM-MD5.

                        > I would strongly suggest removing the "noplaintext" keyword during
                        > testing.

                        Can it be used on a regular basis (i.e., not just for testing)? Will it be
                        better to enable a non-plaintext mechanism? Which one is the best?

                        (I haven't tried yet.)
                      • Noel Jones
                        ... Yes, tell dovecot to offer non-plaintext mechanisms. Alternately, tell postfix to not offer non-TLS AUTH with main.cf smtpd_tls_auth_only = yes ... There
                        Message 11 of 13 , Dec 6, 2012
                        • 0 Attachment
                          On 12/6/2012 4:54 AM, jugree@... wrote:
                          >> and for the above to /work/ dovecot needs to offer a non-plaintext
                          >> mechanism, such as CRAM-MD5.
                          >
                          >> I would strongly suggest removing the "noplaintext" keyword during
                          >> testing.
                          >
                          > Can it be used on a regular basis (i.e., not just for testing)?

                          Yes, tell dovecot to offer non-plaintext mechanisms.

                          Alternately, tell postfix to not offer non-TLS AUTH with main.cf
                          smtpd_tls_auth_only = yes

                          > Will it be
                          > better to enable a non-plaintext mechanism? Which one is the best?

                          There is no best, there is only what fits your needs. I expect it's
                          common to specify
                          smtpd_sasl_security_options = noanonymous
                          smtpd_sasl_tls_security_options = noanonymous

                          and then after verifying that SASL works, adding
                          smtpd_tls_auth_only = yes


                          -- Noel Jones
                        • jugree@lavabit.com
                          ... Thank you. It worked. ... Does it mean that my session will be encrypted using TLS, but there won t be any encryption inside the tunnel? I assume it s
                          Message 12 of 13 , Dec 6, 2012
                          • 0 Attachment
                            > I would strongly suggest removing the "noplaintext" keyword during
                            > testing.

                            Thank you. It worked.

                            > There is no best, there is only what fits your needs. I expect it's
                            > common to specify
                            > smtpd_sasl_security_options = noanonymous
                            > smtpd_sasl_tls_security_options = noanonymous

                            > and then after verifying that SASL works, adding
                            > smtpd_tls_auth_only = yes

                            Does it mean that my session will be encrypted using TLS, but there
                            won't be any encryption inside the tunnel?

                            I assume it's pretty secure for most cases. Could you confirm?

                            Anyway, I'll try to configure a non-plaintext mechanism.
                          • Noel Jones
                            ... Right, postfix won t offer AUTH unless the session is TLS-encrypted, and all credentials are protected by TLS. Postfix (and the SASL backend) will still
                            Message 13 of 13 , Dec 6, 2012
                            • 0 Attachment
                              On 12/6/2012 9:54 PM, jugree@... wrote:
                              >> common to specify
                              >> smtpd_sasl_security_options = noanonymous
                              >> smtpd_sasl_tls_security_options = noanonymous
                              >
                              >> and then after verifying that SASL works, adding
                              >> smtpd_tls_auth_only = yes
                              >
                              > Does it mean that my session will be encrypted using TLS, but there
                              > won't be any encryption inside the tunnel?


                              Right, postfix won't offer AUTH unless the session is TLS-encrypted,
                              and all credentials are protected by TLS.

                              Postfix (and the SASL backend) will still happily use any supported
                              mechanisms inside TLS, but now there's no particular advantage for
                              the non-plaintext mechanisms since everything is already encrypted
                              with TLS.


                              > I assume it's pretty secure for most cases. Could you confirm?

                              More secure, because with TLS the mail content is encrypted, not
                              just the credentials.


                              >
                              > Anyway, I'll try to configure a non-plaintext mechanism.
                              >

                              Many popular desktop clients only support PLAIN and LOGIN (both
                              considered plain-text equivalent), but it (most likely) won't hurt
                              to offer additional mechanisms.



                              -- Noel Jones
                            Your message has been successfully submitted and would be delivered to recipients shortly.