When configuring Postfix with SMTP authentication, many admins encounter authentication failures despite seemingly correct configurations. The error typically manifests when clients try to authenticate but receive "535 5.7.8 Error: authentication failed" responses.
Your main.cf contains most required parameters, but let's verify each critical component:
# Authentication requirements
smtpd_sasl_type = dovecot # Explicitly set SASL mechanism
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
The format in /etc/postfix/sasl_passwd needs careful attention:
# Correct format for server-to-server authentication
[smtp.foo.com]:587 username:password
# For client authentication (different mechanism)
First, verify SASL can actually authenticate users:
testsaslauthd -u username -p password
# Should return: 0: OK "Success."
Then check Postfix's SASL support:
postconf -a
# Should list available SASL mechanisms like:
# cyrus
# dovecot
After creating sasl_passwd, these commands are crucial:
postmap hash:/etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
systemctl reload postfix
Use this telnet sequence to verify:
EHLO client.example.com
AUTH LOGIN
# Wait for base64-encoded username prompt
# Then password prompt
Consider using Dovecot SASL for more reliable authentication:
# In main.cf
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
# In dovecot.conf
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
Check these log locations for debugging:
/var/log/mail.log
/var/log/syslog
journalctl -u postfix -f
Look for lines containing "SASL" or "authentication failure".
When setting up SMTP authentication in Postfix, many administrators encounter authentication failures despite seemingly correct configurations. The issue typically stems from missing components in the SASL authentication chain rather than just the Postfix configuration itself.
For proper SMTP authentication, you need three components working together:
1. Postfix with SASL support
2. Cyrus SASL libraries
3. SASL authentication backend (like saslauthd)First, check if your SASL setup is actually working independently of Postfix:
testsaslauthd -u username -p password
# Should return: 0: OK "Success."If this fails, your issue is with the SASL backend, not Postfix.
Your current sasl_passwd format is incorrect for SMTP authentication. It should be:
[smtp.foo.com]:587 username:password
# or for multiple entries:
[smtp.foo.com]:587 username1:password1
[smtp.foo.com]:587 username2:password2After editing, regenerate the DB file:
postmap /etc/postfix/sasl_passwdAdd these critical parameters to your main.cf:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yesUse this command to verify SMTP authentication:
telnet localhost 25
EHLO localhost
AUTH PLAIN
# Then provide base64 encoded credentialsFor automated testing, use swaks:
swaks --to user@example.com --from user@foo.com \
--server foo.com --auth-user username --auth-password passwordEnable verbose logging in /etc/default/saslauthd:
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"Check logs with:
tail -f /var/log/mail.logAlways ensure:
1. sasl_passwd file has 600 permissions
2. sasl_passwd.db has 640 permissions
3. Postfix chroot environment has access to SASL socket