Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SASL authentication failure: No worthy mechs found #180

Closed
petrkr opened this issue Feb 8, 2024 · 2 comments
Closed

SASL authentication failure: No worthy mechs found #180

petrkr opened this issue Feb 8, 2024 · 2 comments

Comments

@petrkr
Copy link

petrkr commented Feb 8, 2024
edited
Loading

Latest version 4.1.0 (do not tested any other version from 3.5.0) can cannot authenticate to server.

2024-02-08T16:42:00.441548+00:00 INFO    postfix/relay/smtp[364]: 36F1612: SASL authentication failed; cannot authenticate to server smtp.postmarkapp.com[34.249.162.51]: no mechanism available
2024-02-08T16:42:00.444745+00:00 WARNING postfix/relay/smtp[366]: warning: SASL authentication failure: No worthy mechs found

Regarding to Postfix documentation there is by default disabled "PLAIN" and "LOGIN" Auth methods. But server accept Cram and digest md5, so why postfix not use them?

Answer is this line:

docker-postfix/scripts/common-run.sh

Line 404 in 5ea8c32

do_postconf -e "smtp_sasl_mechanism_filter=${other_plugins}"

Problem is, script will generate filter like smtp_sasl_mechanism_filter = digestmd5,ntlm,crammd5,plain,login,anonymous which is bad, that is Plugin name, not SASL Mechanism name.

As workaround for this I had to specify ENV POSTFIX_smtp_sasl_mechanism_filter="CRAM-MD5, DIGEST-MD5" and this is how it works

I hope it will help meanwhile someone if will be search over internet for better solution than 90% mentioned "just use PLAIN auth" or "just install package xyz"
@bokysan
Copy link
Owner

bokysan commented Feb 9, 2024

Thank you for the ticket. Do you have any commits on how to fix the issue?

Thanks,
B

@petrkr
Copy link
Author

petrkr commented Feb 9, 2024

No I don't.

This is thing I think everyone must decide their situation. Maybe best will be not specify at all and let postfix default. But this scenario I not tested. Even do not know if I can unset that variable from ENV vars

Basically if there will be replaced rhat grep from plugins to sasl mech, then it will fill all available sasl. But based on documentationc that can be achieved by using 'static:all' and if there is need to disable somec then use '!disabled-one'

Actually i did not check that oauth2 one, ifnis spelled right.

Actually it works somehow in others because 'plain' is same for plugin name and for mechanism, but for example that crammd5 is different from cram-md5 tbus it not works.

Do not know how other solve that, if they simple goes thru postfix not-recommended way and enables less secure 'plain' auth, so it start work, because of plugin name and sasl mech are same name, thus allowed.

So I think this is more for discussion.

Problem is, many administrators goes just easier way than secure one. Amount of stupid answers on stack overflow proofs that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bokysan @petrkr