When configuring Postfix to relay emails through Gmail's SMTP server (smtp.gmail.com:587), many administrators encounter the frustrating SASL authentication error:
warning: SASL authentication failure: No worthy mechs found
F2D557874F: SASL authentication failed; cannot authenticate to server smtp.gmail.com[74.125.157.108]: no mechanism available
The "No worthy mechs found" error indicates Postfix cannot find suitable SASL authentication mechanisms to authenticate with Gmail. This typically occurs due to:
- Missing SASL authentication libraries
- Incomplete Postfix configuration
- Mismatched TLS settings
- Outdated SASL mechanisms
Here's how to properly configure Postfix for Gmail SMTP relay:
1. Install Required Packages
sudo apt-get install libsasl2-modules libsasl2-2 sasl2-bin
2. Create SASL Password File
sudo mkdir -p /etc/postfix/sasl
sudo nano /etc/postfix/sasl/passwd
# Add this line:
[smtp.gmail.com]:587 username@gmail.com:app-specific-password
# Set permissions and create hash:
sudo chmod 600 /etc/postfix/sasl/passwd
sudo postmap /etc/postfix/sasl/passwd
3. Update Postfix Configuration
# /etc/postfix/main.cf
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain, login
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
4. Test the Configuration
echo "Test email" | mail -s "Test Subject" recipient@example.com
tail -f /var/log/mail.log
For better security, consider using OAuth2 authentication instead of passwords:
# /etc/postfix/main.cf
smtp_sasl_mechanism_filter = xoauth2
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_oauth2_client_id = your-client-id
smtp_sasl_oauth2_client_secret = your-client-secret
smtp_sasl_oauth2_refresh_token = your-refresh-token
- Verify your Gmail account allows "Less secure apps" or has app-specific passwords enabled
- Check firewall rules to ensure outbound traffic on port 587 is allowed
- Test with different SASL mechanisms: plain, login, or xoauth2
- Examine full debug output with
postfix -v
When attempting to configure Postfix as a mail relay for Gmail's SMTP server (smtp.gmail.com:587), many administrators encounter a frustrating SASL authentication error:
warning: SASL authentication failure: No worthy mechs found
F2D557874F: SASL authentication failed; cannot authenticate to server smtp.gmail.com[74.125.157.108]: no mechanism available
This error typically occurs when:
- Required SASL mechanisms aren't installed on the server
- Postfix can't negotiate a compatible authentication method with Gmail
- Missing or misconfigured TLS parameters
Here's the working configuration that resolves the issue:
# Main Postfix configuration
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
# TLS Configuration
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# SASL Mechanism specification
smtp_sasl_mechanism_filter = plain, login
Install the required SASL libraries:
sudo apt-get install libsasl2-modules libsasl2-2 sasl2-bin
Create /etc/postfix/sasl/sasl_passwd with your Gmail credentials:
[smtp.gmail.com]:587 your.email@gmail.com:yourAppPassword
Then secure and compile the file:
sudo chmod 600 /etc/postfix/sasl/sasl_passwd
sudo postmap /etc/postfix/sasl/sasl_passwd
Verify your setup with:
echo "Test email" | mail -s "Postfix Test" recipient@example.com
Check logs with:
tail -f /var/log/mail.log
- Ensure you're using an App Password if you have 2FA enabled
- Verify port 587 isn't blocked by your firewall
- Check that your system time is synchronized (NTP)
For newer Postfix versions (2.11+), consider using OAuth2 authentication:
smtp_sasl_mechanism_filter = xoauth2
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd_oauth
The OAuth credentials file should contain:
[smtp.gmail.com]:587 your.email@gmail.com:oauth2_token_here