I am charged with setting up a SMTP relay server that will relay all mails to a 3rd party secure SMTP server. This 3rd party server requires a secure connection with certificates and username/password login, before it will accept mails from my SMTP relay server.
I have configured the certificates
# TLS settings
postconf -e "smtp_tls_security_level=verify"
postconf -e "smtp_tls_note_starttls_offer=yes"
postconf -e "smtp_tls_CApath=/etc/ssl/certs"
postconf -e "smtp_tls_cert_file=/etc/postfix/company.crt"
postconf -e "smtp_tls_key_file=/etc/postfix/company.pem"
This seems to work fine
2019-05-05T08:37:25.729903-07:00 smtp-relays-test-1 postfix/smtp[119]: SSL_connect:SSLv3/TLS read change cipher spec
2019-05-05T08:37:25.729962-07:00 smtp-relays-test-1 postfix/smtp[119]: SSL_connect:SSLv3/TLS read finished
2019-05-05T08:37:25.730036-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp.secureprovider.com[10.254.253.192]:587: Matched subjectAltName: smtp.secureprovider.com
2019-05-05T08:37:25.730287-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp.secureprovider.com[10.254.253.192]:587 CommonName smtp.secureprovider.com
2019-05-05T08:37:25.730355-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp.secureprovider.com[10.254.253.192]:587: subject_CN=smtp.secureprovider.com, issuer_CN=RapidSSL RSA CA 2018, fingerprint=1D:13:48:BB:92:E6:4E:AF:AC:6A:14:66:D8:F5:08:9F, pkey_fingerprint=CA:67:37:87:5F:47:51:0B:E5:7A:4A:4E:63:E0:75:CC
2019-05-05T08:37:25.730384-07:00 smtp-relays-test-1 postfix/smtp[119]: Verified TLS connection established to smtp.secureprovider.com[10.254.253.192]:587: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Verified TLS connection established to smtp.secureprovider.com[10.254.253.192]:587: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Next the password authentication is supposed to kick in. I can see in the logs that the correct username/password is used :
2019-05-05T08:37:25.753993-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-smtp.secureprovider.com
2019-05-05T08:37:25.754015-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-PIPELINING
2019-05-05T08:37:25.754033-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-SIZE 52428800
2019-05-05T08:37:25.754052-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-VRFY
2019-05-05T08:37:25.754071-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-ETRN
2019-05-05T08:37:25.754089-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-AUTH PLAIN LOGIN
2019-05-05T08:37:25.754108-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-AUTH=PLAIN LOGIN
2019-05-05T08:37:25.754127-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-ENHANCEDSTATUSCODES
2019-05-05T08:37:25.754145-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-8BITMIME
2019-05-05T08:37:25.754163-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250 DSN
2019-05-05T08:37:25.754193-07:00 smtp-relays-test-1 postfix/smtp[119]: server features: 0x902f size 52428800
2019-05-05T08:37:25.754215-07:00 smtp-relays-test-1 postfix/smtp[119]: Using ESMTP PIPELINING, TCP send buffer size is 46080, PIPELINING buffer size is 4096
2019-05-05T08:37:25.754286-07:00 smtp-relays-test-1 postfix/smtp[119]: maps_find: smtp_sasl_password_maps: smtp.secureprovider.com: not found
2019-05-05T08:37:25.754743-07:00 smtp-relays-test-1 postfix/smtp[119]: maps_find: smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd(0,lock|fold_fix|utf8_request): smtp.secureprovider.com:587 = username@secureprovider.com:XXXXXXXXXXX
2019-05-05T08:37:25.754780-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp_sasl_passwd_lookup: host `smtp.secureprovider.com' user `username@secureprovider.com' pass `XXXXXXXXXXX'
2019-05-05T08:37:25.754803-07:00 smtp-relays-test-1 postfix/smtp[119]: starting new SASL client
2019-05-05T08:37:25.761839-07:00 smtp-relays-test-1 postfix/smtp[119]: name_mask: noanonymous
2019-05-05T08:37:25.762428-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp_sasl_authenticate: smtp.secureprovider.com[10.254.253.192]:587: SASL mechanisms PLAIN LOGIN
2019-05-05T08:37:25.762493-07:00 smtp-relays-test-1 postfix/smtp[119]: warning: SASL authentication failure: No worthy mechs found
So username@secureprovider.com:XXXXXXXXXXX (obfuscated), I see the correct values in the logs.
But then the last lines read :
SASL mechanisms PLAIN LOGIN warning: SASL authentication failure: No worthy mechs found
And it fails. Any help appreciated !
This bug is causing the issue : https://bugs.alpinelinux.org/issues/9987
FIx is to install the additional sasl packages :
apk add --no-cache --upgrade cyrus-sasl cyrus-sasl-plain cyrus-sasl-login