Postfix: SASL authentication failed; cannot authenticate to server

[kooskaspers]

Since chart v1.2.0 (I’ve upgraded from 0.3.3) I’m encountering a problem with postfix: I’m not able to send email anymore.
This is my relay configuration in values.yaml:

## @param externalRelay.networks List of networks that are allowed to use Mailu as external relay                                                                        
externalRelay:                                                                                                                                                           
host: "smtp.tweak.nl:587"

As you can see there is no authentication necessary for my ISP’s SMTP server. Which worked by the way perfectly with chart version 0.3.3

As of now, I’m not able to send email anymore. I’m getting these (authentication) errors:

daemon started -- version 3.7.4, configuration /etc/postfix
47BDD2262DB: from=<>, size=4921, nrcpt=1 (queue active)
148F02262D2: from=<me@mydomain.com>, size=356, nrcpt=1 (queue active)
warning: SASL authentication failure: No worthy mechs found
warning: SASL authentication failure: No worthy mechs found
148F02262D2: to=<testemail@gmail.com>, relay=smtp.tweak.nl[82.197.196.177]:587, delay=702, delays=701/0.02/0.02/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.tweak.nl[82.197.196.177]: no mechanism available)

I am able to fix it by changing the postfix configuration by getting shell access to the Postfix pod, and altering the /etc/postfix/main.cf file:

FROM

# Relayhost if any is configured
relayhost = smtp.tweak.nl:587

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous

TO

# Relayhost if any is configured
relayhost = smtp.tweak.nl:587

smtp_sasl_auth_enable = no
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous

and reloading the postfix configuration by:
postfix reload
It seems the chart / mailu thinks I have to authenticate towards the smtp server, but I’ve set no username & password for the relay server, so in my opinion, mailu shouldn’t set smtp_sasl_auth_enable to yes.

I’m not sure how this was configured with chart 0.3.3, but my relayhost configuration worked fine by then.

[fiskhest]

To fix this without manual intervention, those settings can be applied through postfix.overrides in the helm chart.

https://github.com/Mailu/helm-charts/blob/master/mailu/values.yaml#L1235

[kooskaspers]

Great to hear @fiskhest, thanks 🙏

[kooskaspers]

@fiskhest, hmm can't get it working.

Changed my values.yaml to:

postfix:
    overrides:
        postfix.cf: |
            smtp_sasl_auth_enable = no

But the postfix container doesn't come up. Logs:

INFO:MAIN:MTA-STS daemon starting...
2023-07-31 19:16:04 INFO     MAIN: MTA-STS daemon starting...
INFO:MAIN:Starting eventloop...
2023-07-31 19:16:04 INFO     MAIN: Starting eventloop...
INFO:MAIN:uvloop is not available. Falling back to built-in event loop.
2023-07-31 19:16:04 INFO     MAIN: uvloop is not available. Falling back to built-in event loop.
INFO:MAIN:Eventloop started.
2023-07-31 19:16:04 INFO     MAIN: Eventloop started.
INFO:MAIN:Server started.
INFO:MAIN:Proactive policy fetching is disabled.
2023-07-31 19:16:04 INFO     MAIN: Server started.
2023-07-31 19:16:04 INFO     MAIN: Proactive policy fetching is disabled.

[fiskhest]

Possible nit, your example looks overly indented, unsure how helm/mailu reacts to that.

I never tested with your specific settings, but I was able to override multiple keys without seeing anything like this.
Does your pod not come up at all without any other messages in logs or kubectl describe pod?

If it's running, you could try execing into it and checking /etc/postfix/main.cf? For what I wanted to override, it just worked.

[fastlorenzo]

@kooskaspers could you post the content of your postfix override configmap from your cluster (this should be generated automatically if you set postfix.overrides in your values.yaml

[kooskaspers]

Will do today / tomorrow . Thanks for looking into this.

[kooskaspers]

@fastlorenzo, here is the contents of the postfix override configmap:

apiVersion: v1
data:
  postfix.cf: |
    smtp_sasl_auth_enable = no
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: mailu
    meta.helm.sh/release-namespace: mailserver
  creationTimestamp: "2023-08-13T20:13:35Z"
  labels:
    app.kubernetes.io/component: postfix
    app.kubernetes.io/instance: mailu
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: mailu
    helm.sh/chart: mailu-1.2.0
  name: mailu-postfix-override
  namespace: mailserver
  resourceVersion: "27445289"
  uid: 86804510-92bc-4d6e-a4d9-4fbebca448e7

[kooskaspers]

Since chart version 1.4.0 this is working perfectly fine (with above values.yaml).
Closing the issue!

[fastlorenzo]

Great, glad to hear that!