Resolved no SASL authentication mechanisms

[bork]

Server operating system version

AlmaLinux 9.2 (Turquoise Kodkod)

Plesk version and microupdate number

Plesk Obsidian Version 18.0.56, last updated on Oct 13, 2023 01:25 AM

Hi,

Since this morning I have noticed this error appear in the plesk mail log, I haven't done any changes from before other then updating the PLESK version last night.

2023-10-13 10:52:33  
WARNING
postfix/master [874100]
warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
2023-10-13 10:52:33  
WARNING
postfix/master [874100]
warning: process /usr/libexec/postfix/smtpd pid 876426 exit status 1
2023-10-13 10:52:32  
CRIT
postfix/smtpd [876426]
fatal: no SASL authentication mechanisms
2023-10-13 10:52:32  
WARNING
postfix/smtpd [876426]
warning: SASL: Connect to private/auth failed: Connection refused

Attempted fixes so far, restarting dovecot and postfix. Made changes in the smtpd.conf that I found here in the plesk forums, the current setting:

pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /var/spool/postfix/private/plesk_saslauthd
mech_list: CRAM-MD5 PLAIN LOGIN
sql_engine: intentionally disabled
log_level: 4

Current settings in dovecot and postfix:

virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs
smtpd_use_tls = yes
smtp_use_tls = no
disable_vrfy_command = yes
mynetworks = 127.0.0.0/8, [::1]/128, Server IP/32
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists,permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
authorized_flush_users =
authorized_mailq_users =
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames

service auth {
  # Allow userdb lookups for popuser.
  unix_listener auth-userdb {
    mode = 0600
    user = postfix
    group = postfix
  }
}

service stats {
  unix_listener stats-writer {
    user = popuser
  }

The client says no mail is incoming since this morning. Any assistance would be appreciated. Thanks.

 

[skibidi]

Your error messages are for postfix.

Under Ubuntu you might have previous configuration files in /var/lib/plesk/cfgmon. I'm not sure about AlmaLinux, if the path doesn't exist, try: find / -type d -iname 'cfgmon'

You could compare your main.cf and master.cf from the cfgmon path. Maybe restore the configuration that changed and restart postfix. If it doesn't solve your issue, check somehow your postfix.service (systemctl cat postfix.service for the current one).

 

[skibidi]

Plesk also has some built-in repair tools.

plesk repair -n -v mail and/or plesk repair -n -v installation could indicate more.

Full help for plesk repair:

plesk repair --help
Usage: plesk repair ASPECT [OPTION]

Run Plesk check and repair tool.
Provide aspect 'all' to check and repair all aspects in the interactive mode.

Available aspects: all, mail, web, dns, ftp, fs, db, mysql, installation, sysusers.

Available options:
  -y - Try to repair all found issues.
  -n - Do not repair anything, check only.
  -v - Display more detailed output (verbose mode).
  -h - Display more detailed help on the selected aspect.

 

[bork]

Thanks for your reply, from your suggestions, I found this so far. Plesk repair all -n -v detects this Warning below. The systemctl cat postfix.service returns nothing out of the ordinary. The issue persists.

Checking the consistency of the Plesk database

  Inconsistency in the table 'ModuleSettings' for the column
  module_id: No rows in the table 'Modules' with id = 10 (2 broken
  references) ....................................................... [WARNING]

  Broken references in table 'ModuleSettings':
  *************************** 1. row ***************************
  module_id: 10
       name: contextLines
      value: 10
  *************************** 2. row ***************************
  module_id: 10
       name: searchFiles
      value:

 

[bork]

I found these errors with MXToolBox, these weren't being prompted before, I don't understand what could have happened.

Status Warning    smtp    mail.domain1.mk    Reverse DNS does not match SMTP Banner    information More Info
Status Warning    smtp    mail.domain1.mk    Warning - Does not support TLS.    information More Info
Status Warning    smtp    mail.domain1.mk    May be an open relay.

 

[skibidi]

Do you have any backups of /etc/dovecot/dovecot.conf & /etc/dovecot/conf.d to check if they're any changes since then?

If you haven't restarted your server since the last potential systemd update:
systemctl daemon-reload
systemctl restart postfix.service
systemctl restart dovecot.service
systemctl --failed

 

[bork]

I have restarted multiple times, doesn't solve anything.
Maybe the issue is coming from my installation of wildcard certificate for a no host domain using this tutorial -> How To Acquire a Let's Encrypt Certificate Using DNS Validation with acme-dns-certbot on Ubuntu 18.04 | DigitalOcean
But I did this several days ago.

 

[skibidi]

You could check the update log if they're any broken packages or errors ig.

Otherwise I attached you all relevant /etc files from a AlmaLinux 9.2 with Plesk 18.0.56. Backup your own files before you make any changes and use them at your own risk.

 

[bork]

Thanks for the assistance skibidi, I am still not able to solve this issue unfortunately. No incoming/outgoing mail still...

 

[bork]

Okay so adding this code snippet in the dovecot.conf in the service auth part seems to have solved the issue for the time being, I will still be monitoring this.

I mean I tried several other solutions that I found from plesk support googling, however since they didn't work and I reverted those changes I will only provide what I think was the solution.
The snippet:

service auth {
  # Existing configuration for auth-userdb
  unix_listener auth-userdb {
    mode = 0600
    user = popuser
    group = popuser
  }

  # Added configuration for Postfix SASL
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

 

[Peter Debik]

The default setting from the Plesk Dovecot installation is

service auth {
  # Existing configuration for auth-userdb
  unix_listener auth-userdb {
    mode = 0600
    user = popuser
    group = popuser
  }
}

The file dovecot.conf is approx. 4K long. It includes several additional settings. In the subdirectory /conf.d there should be 10 included configuration files, too. Does this match your server? Else you'll probable need to remove and reinstall Dovecot to get the default settings.

 

[bork]

The default setting from the Plesk Dovecot installation is

service auth {
  # Existing configuration for auth-userdb
  unix_listener auth-userdb {
    mode = 0600
    user = popuser
    group = popuser
  }
}

The file dovecot.conf is approx. 4K long. It includes several additional settings. In the subdirectory /conf.d there should be 10 included configuration files, too. Does this match your server? Else you'll probable need to remove and reinstall Dovecot to get the default settings.

The snippet you provided was the default configuration, yes. I provided the initial configuration in my first post. However, I was constantly getting the error, whatever I tried to fix the issue.

The plesk update was performed around 1:30am, the errors begun in 2:30am. It resolved half an hour ago after adding the postfix auth.

I will remove it later to test, this topic should still remain open if possible.

 

[Kaspar]

I am not entirely sure, but these Postfix parameters don't look like default Plesk parameters to me. I wonder how those get in your configuration. Are you using any Plesk extensions related email? Plesk Premium Email for example?

smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

I am not sure that's wise to use, as the postfix user and group isn't used by Plesk. You might be opening your server up more problems.

  # Added configuration for Postfix SASL
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

 

[bork]

I am not entirely sure, but these Postfix parameters don't look like default Plesk parameters to me. I wonder how those get in your configuration. Are you using any Plesk extensions related email? Plesk Premium Email for example?


I am not sure that's wise to use, as the postfix user and group isn't used by Plesk. You might be opening your server up more problems.

I am using the free mail extension.
I suspect maybe the issue was caused by the issuing of the wilcdcard certificate for the no host domain using the digitalocean tutorial, which worked, but maybe caused all this.

Should I reinstall postfix and dovecot to revert the change?

Any assistance would be great.

 

[Kaspar]

I am using the free mail extension.

The free Plesk Premium Email extension? I suppose that would explain the additional Postfix parameters.

I suspect maybe the issue was caused by the issuing of the wilcdcard certificate for the no host domain using the digitalocean tutorial, which worked, but maybe caused all this.

Could be, however I don't see how Certbot would interfere with Postfix or Dovecot. That being said, it's not recommended to use Certbot as Plesk has it's own SSL agent/functionality.

Should I reinstall postfix and dovecot to revert the change?

I am not sure. You could give it go and see what happens. Maybe try reinstalling Plesk Premium Email too. Make a backup (or server snapshot) before you do.

Otherwise open a ticket Plesk support so they can investigate the issue on your server. The support team is great and very knowledgeable.

 

[bork]

Sorry I wasn't certain before, since I was out for the moment, however I do not have any type of Email extension installed. I added the Postfix parameters myself just trying to find a solution to the issue.
I used Certbot, since while searching how to create a wildcard SSL for the no host domain, since I had issues with Outlook, that seemed like a good solution.
I tried opening a ticket with Plesk, however since the activation is provided by Hetzner, I couldn't chat with their support because they didn't approve the license.
I removed the Postfix parameters, and will check out how it goes.

 

[bork]

These are the errors prompted that I found in the Plesk update log, other then that there is nothing out of the ordinary:

2023-10-13 01:27:23 INFO: pum is called with arguments: ['--check']
2023-10-13 01:27:23 ERROR: Update operation was locked by another update process (Plesk installer or pum).
2023-10-13 01:27:23 ERROR: Exited with return code 100.

I have reverted the changes that were done in Postfix/Dovecot to their default configuration thanks to @skibidi , so far everything seems to work okay. Is there a way to stress test this issue in order to be sure that it won't happen again from Monday on?

Maybe install Plesk premium email extension? Although it has kind of a low rating. @Kaspar what is the Plesk functionality to obtain a wildcard certificate for a no host domain? When I tried to add a certificate via the Plesk GUI, the certificate was only for webmail.no-host-domain.com, no other options were available.

 

[bork]

These errors also persist, but if they are not a potential culprit, I will open a separate thread for them.

 Execution status has failed with exit code 3, stdout: × named.service - Berkeley Internet Name Domain (DNS)
     Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/named.service.d
             └─disable.conf
     Active: failed (Result: exit-code) since Tue 2023-10-10 22:16:44 CEST; 3 days ago
        CPU: 0
        

Execution status has failed with exit code 3, stdout: × php-fpm.service - The PHP FastCGI Process Manager
     Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/php-fpm.service.d
             └─limit_nofile.conf
     Active: failed (Result: exit-code) since Fri 2023-10-13 21:00:22 CEST; 12h ago
   Main PID: 1040525 (code=exited, status=78)
        CPU: 14ms

 

[Peter Debik]

Taken from the thread you are having issues with
- BIND (named)
- PHP-FPM
- Postfix
- Dovecot
- SSL/Let's Encrypt
It's hard to solve all of these at once.

Regarding SSL for a "no hosting" domain: This can only work with wildcard certificates, because else hosting is needed for the authorization process of the certificate. We have a feature request for changing that that you could vote on to boost the idea further: Issue Let's Encrypt Wildcard (and others) certificate without main domain in SAN (use DNS-01 challenge only)

For Dovecot and Postfix: It'll probably be best to remove both and reinstall them. But this can impact existing mailboxes, so better do a backup beforehand.

Bind, PHP_FPM: Two important services that do not work. The most likely cause are misconfigurations. You can try to find out more by either checking journald for entries related to the start attempts or /var/log/messages.

 

[Kaspar]

Maybe install Plesk premium email extension? Although it has kind of a low rating.

I would not install Plesk premium email with the hope it solves your issues. The reason I mentioned Plesk premium email in my previous posts was because I was searching for an explanation on how those additional Postfix parameters ended up in your Postfix configuration. But you already explained that you've added them yourself manually. So that mystery is solved

I have reverted the changes that were done in Postfix/Dovecot to their default configuration thanks to @skibidi , so far everything seems to work okay.

Does that mean you where able to solve the issue with SASL authentication mechanisms error?

Is there a way to stress test this issue in order to be sure that it won't happen again from Monday on?

Unfortunately I am not sure, as it's not clear (to me) how the issue originated. But from my experience with Plesk I can say that it is quite rare for the Postfix or Dovecot configuration to suddenly change that radically.

@Kaspar what is the Plesk functionality to obtain a wildcard certificate for a no host domain? When I tried to add a certificate via the Plesk GUI, the certificate was only for webmail.no-host-domain.com, no other options were available.

There isn't. The trick is use the host name of your server (plesk.domain1.com if I remember correctly from your previous topic) as the host to connect to for any email client, instead of connecting to the domain name itself. By default (and unless you've changed the default Plesk configuration) on the host name email traffic is always secured with a valid certificate.

As Peter pointed out there is a feature request for using LE Wildcard certificates without a (hosted) domain which you can vote for.

I tried opening a ticket with Plesk, however since the activation is provided by Hetzner, I couldn't chat with their support because they didn't approve the license.

Lastly, if you got your Plesk license via a reseller or provider they should offer support. As Plesk support not included with a reseller license. But that doesn't mean you can't get support from Plesk directly. You'll find more information on getting support directly here: https://support.plesk.com/hc/en-us/articles/12388090147095-How-to-get-support-directly-from-Plesk-