authentication not enabled

[oliversturm]

I'm running the image with SMTP_ONLY=1 and PERMIT_DOCKER=network. For months now, I have successfully sent email from other docker containers, no problem. External sending was not possible and there were no "emails" configured (as understood by the setup.sh script), only a few aliases.

Now I'm trying to enable sending for a single external account, so that an app running on a different machine can use the server. So I added an "email" account and set a password:

./setup.sh email add daemon@mydomain.org
./setup.sh email restrict add receive daemon@mydomain.org

I have since restarted the container (I think that might be important). I can also see the newly created account in postfix-accounts.cf.

However, when the external machine tries to deliver mail to the server, I see this error (on the side of the client):

5.5.1 Error: authentication not enabled

The server logs show one interesting line: apparently /etc/postfix/vmailbox can't be opened. Not sure what that means though.

Sep  2 12:57:06 mx postfix/smtpd[4855]: error: open database /etc/postfix/vmailbox: No such file or directory
Sep  2 12:57:06 mx postfix/smtpd[4855]: connect from <my sending server>[<myip>]
Sep  2 12:57:06 mx postfix/smtpd[4855]: Anonymous TLS connection established from <my sending server>[<myip>]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Sep  2 12:57:06 mx postfix/smtpd[4855]: lost connection after AUTH from <my sending server>[<myip>]
Sep  2 12:57:06 mx postfix/smtpd[4855]: disconnect from <my sending server>[<myip>] ehlo=2 starttls=1 auth=0/1 commands=3/4

Am I missing something here? Do I need to do something else to make the server accept the login attempt?

[oliversturm]

I tried setting ENABLE_SASLAUTHD=1, clearly that is necessary. However I don't quite understand how this should work - looking at the source code, there doesn't seem to be any connection between the accounts in postfix-accounts.cf and (basic cyrus) SASL authentication.

However, the default is PAM and I was surprised to see that this doesn't work either. I see endless output like this flying by when I simply enable saslauthd while leaving all other related options on their defaults:

mail         | 2019-09-03 08:47:38,750 INFO spawned: 'saslauthd_pam' with pid 1382
mail         | 2019-09-03 08:47:38,760 INFO success: saslauthd_pam entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
mail         | 2019-09-03 08:47:38,763 INFO exited: saslauthd_pam (exit status 0; expected)
mail         | 2019-09-03 08:47:38,765 INFO spawned: 'saslauthd_pam' with pid 1383
mail         | 2019-09-03 08:47:38,775 INFO success: saslauthd_pam entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
mail         | 2019-09-03 08:47:38,779 INFO exited: saslauthd_pam (exit status 0; expected)
mail         | 2019-09-03 08:47:38,781 INFO spawned: 'saslauthd_pam' with pid 1384
mail         | 2019-09-03 08:47:38,791 INFO success: saslauthd_pam entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
mail         | 2019-09-03 08:47:38,795 INFO exited: saslauthd_pam (exit status 0; expected)
mail         | 2019-09-03 08:47:38,797 INFO spawned: 'saslauthd_pam' with pid 1385
mail         | 2019-09-03 08:47:38,807 INFO success: saslauthd_pam entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
mail         | 2019-09-03 08:47:38,811 INFO exited: saslauthd_pam (exit status 0; expected)
mail         | 2019-09-03 08:47:38,813 INFO spawned: 'saslauthd_pam' with pid 1386
mail         | 2019-09-03 08:47:38,823 INFO success: saslauthd_pam entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
mail         | 2019-09-03 08:47:38,826 INFO exited: saslauthd_pam (exit status 0; expected)
mail         | 2019-09-03 08:47:38,829 INFO spawned: 'saslauthd_pam' with pid 1387
mail         | 2019-09-03 08:47:38,840 INFO success: saslauthd_pam entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
mail         | 2019-09-03 08:47:38,845 INFO exited: saslauthd_pam (exit status 0; expected)
mail         | 2019-09-03 08:47:38,847 INFO spawned: 'saslauthd_pam' with pid 1390
mail         | 2019-09-03 08:47:38,860 INFO success: saslauthd_pam entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
mail         | 2019-09-03 08:47:38,863 INFO exited: saslauthd_pam (exit status 0; expected)

After some research, it seems to me that there is no built-in mechanism at this point to run with SMTP_ONLY and use the existing configured accounts. Or am I missing something?

[oliversturm]

Looks like previous discussions confirm my impression, specifically this comment.

So the only way to use authentication in an SMTP_ONLY setup is to arrange for it manually. Guess I better dust off old sasl skills and try to do that.

[erik-wramner]

Right. If you want to improve this and find a general way, feel free to submit a PR.

EDIT: at least we could update the readme or FAQ so that the next person can find the answer faster.

[oliversturm]

I managed to make it work for my setup. Probably a little way from there to a "general" approach, but I thought it can't hurt to have the details here.

I added this to postfix-main.cf:

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_type = cyrus

Then I created a file smtpd.conf that is mounted as /etc/postfix/sasl/smtpd.conf into the container:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN DIGEST-MD5

I created a file sasldb2 on the host and added the user account I want to use for sending:

saslpasswd -f ./sasldb2 -c -u <my domain> <username>

This file has permissions 660 and belongs to root:45 (to be compatible with the groups in the container). It's mounted as /etc/sasldb2 into the container.

Finally I added a command to my Dockerfile so that the user postfix is added to the group sasl:

RUN usermod postfix -a -G sasl

With this setup I can now modify the local sasldb file to configure accounts for the running SMTP server.

[erik-wramner]

Thanks for sharing!

[Mubramaj]

saslpasswd

@oliversturm , that helped a lot. On my side I was able to achieve this without using saslpasswd on the host machine but on the container using the user-patches script https://docker-mailserver.github.io/docker-mailserver/edge/faq/#how-to-adjust-settings-with-the-user-patchessh-script

First I added to the docker-data/dms/config/postfix-main.cf file the lines @oliversturm suggested

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_type = cyrus

Then on the docker-data/dms/config/user-patches.sh file:

mkdir -p /etc/postfix/sasl

echo "wcheck_method: auxprop
      auxprop_plugin: sasldb
      mech_list: PLAIN DIGEST-MD5" > /etc/postfix/sasl/smtpd.conf

echo $SMTP_PASSWORD | saslpasswd2 -c -u "mail.$DOMAIN_NAME" $SMTP_USERNAME