New SASL error when relaying through gmail

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

New SASL error when relaying through gmail

Michael-129
Hello,

I have been using postfix on a local machine for a few years to act as a
relay for my domain to send email out through gmail.


This has worked well enough, but I noticed recently that I had some
email queued up and was not getting emails out any longer.


In my mailog, I am seeing these errors:

Jan 14 08:16:18 deathstar postfix/smtp[16142]: 8CBF11E12B5:
to=<[hidden email]>, relay=smtp.gmail.com[173.194.203.108]:587,
delay=58297, delays=58297/0.05/0.71/0, dsn=4.7.0, status=deferred (SASL
authentication failed; cannot authenticate to server
smtp.gmail.com[173.194.203.108]: invalid parameter supplied)

I have googled a lot, but I am not finding anything that matches this
error message.   I am not sure also what might have changed to cause
this.   Not sure if Google changed something or a package update broke
something, etc.


This is in Fedora 29, x86_64, postfix-3.3.1, and
cyrus-sasl-lib-2.1.27-0.3rc7.


output of postconf

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost, $myhostname
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = my.domain
myhostname = deathstar.my.domain
mynetworks = 192.168.0.0/16, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relayhost = [smtp.gmail.com]:587
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /root/.acme.sh/my.domain/my.domain.cer
smtp_use_tls = yes
unknown_local_recipient_reject_code = 550


Any thoughts on what the error means and what I might need to change?


Michael


Reply | Threaded
Open this post in threaded view
|

RE: New SASL error when relaying through gmail

angelo
Hi, I suspect this is wrong

relayhost = [smtp.gmail.com]:587


that looks like typical setup for an email client using IMAP and that is the config for sending email.
It would require a username and password.

https://support.google.com/mail/answer/7126229?visit_id=636830764979015900-598820322&hl=en&rd=1



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Michael
Sent: Monday, January 14, 2019 10:23 AM
To: [hidden email]
Subject: New SASL error when relaying through gmail

Hello,

I have been using postfix on a local machine for a few years to act as a
relay for my domain to send email out through gmail.


This has worked well enough, but I noticed recently that I had some
email queued up and was not getting emails out any longer.


In my mailog, I am seeing these errors:

Jan 14 08:16:18 deathstar postfix/smtp[16142]: 8CBF11E12B5:
to=<[hidden email]>, relay=smtp.gmail.com[173.194.203.108]:587,
delay=58297, delays=58297/0.05/0.71/0, dsn=4.7.0, status=deferred (SASL
authentication failed; cannot authenticate to server
smtp.gmail.com[173.194.203.108]: invalid parameter supplied)

I have googled a lot, but I am not finding anything that matches this
error message.   I am not sure also what might have changed to cause
this.   Not sure if Google changed something or a package update broke
something, etc.


This is in Fedora 29, x86_64, postfix-3.3.1, and
cyrus-sasl-lib-2.1.27-0.3rc7.


output of postconf

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost, $myhostname
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = my.domain
myhostname = deathstar.my.domain
mynetworks = 192.168.0.0/16, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relayhost = [smtp.gmail.com]:587
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /root/.acme.sh/my.domain/my.domain.cer
smtp_use_tls = yes
unknown_local_recipient_reject_code = 550


Any thoughts on what the error means and what I might need to change?


Michael


Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

John Stoffel-2
In reply to this post by Michael-129

Michael> I have been using postfix on a local machine for a few years
Michael> to act as a relay for my domain to send email out through
Michael> gmail.

Michael> This has worked well enough, but I noticed recently that I
Michael> had some email queued up and was not getting emails out any
Michael> longer.

Michael> In my mailog, I am seeing these errors:

Michael> Jan 14 08:16:18 deathstar postfix/smtp[16142]: 8CBF11E12B5:
Michael> to=<[hidden email]>, relay=smtp.gmail.com[173.194.203.108]:587,
Michael> delay=58297, delays=58297/0.05/0.71/0, dsn=4.7.0, status=deferred (SASL
Michael> authentication failed; cannot authenticate to server
Michael> smtp.gmail.com[173.194.203.108]: invalid parameter supplied)

It looks to me like your gmail password has changed.  Have you
confirmed that your settings are correct and that the
username/password still work?  

Michael> I have googled a lot, but I am not finding anything that matches this
Michael> error message.   I am not sure also what might have changed to cause
Michael> this.   Not sure if Google changed something or a package update broke
Michael> something, etc.


Michael> This is in Fedora 29, x86_64, postfix-3.3.1, and
Michael> cyrus-sasl-lib-2.1.27-0.3rc7.


Michael> output of postconf

Michael> alias_database = hash:/etc/aliases
Michael> alias_maps = hash:/etc/aliases
Michael> command_directory = /usr/sbin
Michael> compatibility_level = 2
Michael> daemon_directory = /usr/libexec/postfix
Michael> data_directory = /var/lib/postfix
Michael> debug_peer_level = 2
Michael> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
Michael> $daemon_directory/$process_name $process_id & sleep 5
Michael> html_directory = no
Michael> inet_interfaces = localhost, $myhostname
Michael> inet_protocols = ipv4
Michael> mail_owner = postfix
Michael> mailq_path = /usr/bin/mailq.postfix
Michael> manpage_directory = /usr/share/man
Michael> meta_directory = /etc/postfix
Michael> mydestination = $myhostname, localhost.$mydomain, localhost
Michael> mydomain = my.domain
Michael> myhostname = deathstar.my.domain
Michael> mynetworks = 192.168.0.0/16, 127.0.0.0/8
Michael> newaliases_path = /usr/bin/newaliases.postfix
Michael> queue_directory = /var/spool/postfix
Michael> readme_directory = /usr/share/doc/postfix/README_FILES
Michael> relayhost = [smtp.gmail.com]:587
Michael> sample_directory = /usr/share/doc/postfix/samples
Michael> sendmail_path = /usr/sbin/sendmail.postfix
Michael> setgid_group = postdrop
Michael> shlib_directory = /usr/lib64/postfix
Michael> smtp_sasl_auth_enable = yes
Michael> smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
Michael> smtp_sasl_security_options = noanonymous
Michael> smtp_tls_CAfile = /root/.acme.sh/my.domain/my.domain.cer
Michael> smtp_use_tls = yes
Michael> unknown_local_recipient_reject_code = 550


Michael> Any thoughts on what the error means and what I might need to change?

Double check your gmail access outside of postfix, and make sure the
password/username matches in your /etc/postfix/sasl/password file.
Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Michael-129
On 1/14/19 8:30 AM, John Stoffel wrote:

> Michael> I have been using postfix on a local machine for a few years
> Michael> to act as a relay for my domain to send email out through
> Michael> gmail.
>
> Michael> This has worked well enough, but I noticed recently that I
> Michael> had some email queued up and was not getting emails out any
> Michael> longer.
>
> Michael> In my mailog, I am seeing these errors:
>
> Michael> Jan 14 08:16:18 deathstar postfix/smtp[16142]: 8CBF11E12B5:
> Michael> to=<[hidden email]>, relay=smtp.gmail.com[173.194.203.108]:587,
> Michael> delay=58297, delays=58297/0.05/0.71/0, dsn=4.7.0, status=deferred (SASL
> Michael> authentication failed; cannot authenticate to server
> Michael> smtp.gmail.com[173.194.203.108]: invalid parameter supplied)
>
> It looks to me like your gmail password has changed.  Have you
> confirmed that your settings are correct and that the
> username/password still work?
>
> Michael> I have googled a lot, but I am not finding anything that matches this
> Michael> error message.   I am not sure also what might have changed to cause
> Michael> this.   Not sure if Google changed something or a package update broke
> Michael> something, etc.
>
>
> Michael> This is in Fedora 29, x86_64, postfix-3.3.1, and
> Michael> cyrus-sasl-lib-2.1.27-0.3rc7.
>
>
> Michael> output of postconf
>
> Michael> alias_database = hash:/etc/aliases
> Michael> alias_maps = hash:/etc/aliases
> Michael> command_directory = /usr/sbin
> Michael> compatibility_level = 2
> Michael> daemon_directory = /usr/libexec/postfix
> Michael> data_directory = /var/lib/postfix
> Michael> debug_peer_level = 2
> Michael> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
> Michael> $daemon_directory/$process_name $process_id & sleep 5
> Michael> html_directory = no
> Michael> inet_interfaces = localhost, $myhostname
> Michael> inet_protocols = ipv4
> Michael> mail_owner = postfix
> Michael> mailq_path = /usr/bin/mailq.postfix
> Michael> manpage_directory = /usr/share/man
> Michael> meta_directory = /etc/postfix
> Michael> mydestination = $myhostname, localhost.$mydomain, localhost
> Michael> mydomain = my.domain
> Michael> myhostname = deathstar.my.domain
> Michael> mynetworks = 192.168.0.0/16, 127.0.0.0/8
> Michael> newaliases_path = /usr/bin/newaliases.postfix
> Michael> queue_directory = /var/spool/postfix
> Michael> readme_directory = /usr/share/doc/postfix/README_FILES
> Michael> relayhost = [smtp.gmail.com]:587
> Michael> sample_directory = /usr/share/doc/postfix/samples
> Michael> sendmail_path = /usr/sbin/sendmail.postfix
> Michael> setgid_group = postdrop
> Michael> shlib_directory = /usr/lib64/postfix
> Michael> smtp_sasl_auth_enable = yes
> Michael> smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
> Michael> smtp_sasl_security_options = noanonymous
> Michael> smtp_tls_CAfile = /root/.acme.sh/my.domain/my.domain.cer
> Michael> smtp_use_tls = yes
> Michael> unknown_local_recipient_reject_code = 550
>
>
> Michael> Any thoughts on what the error means and what I might need to change?
>
> Double check your gmail access outside of postfix, and make sure the
> password/username matches in your /etc/postfix/sasl/password file.


Thanks John,


I thought this might be the case as well.   I reset the password the
account password and also re-setup the application password on the gmail
account for postfix (in my my sasl password file). That didn't seem to
make a difference.   Is there an easy way to test the app password on
google?


Michael


Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Viktor Dukhovni
In reply to this post by angelo
> On Jan 14, 2019, at 10:28 AM, Fazzina, Angelo <[hidden email]> wrote:
>
> Hi, I suspect this is wrong
>
> relayhost = [smtp.gmail.com]:587

No, that setting is just fine.  Per the subject, the OP is having an issue
with SASL authentication to this relay.

Given:

   smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd

The thing to check is whether the table contains correct information
(without posting the password, or its base64 encoding to the list).
The OP should run:

   postmap -q "smtp.gmail.com" hash:/etc/postfix/sasl/passwd

and make sure that the output contains the correct username and
password (not posted here).

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Ignacio Garcia
In reply to this post by Michael-129
Michael, I use a gmail account to send system notificacions directly
with s-nail in case postfix may fail, and I had similar problems in the
past with gmail, and it was because:

1.- That gmail account was not configured to accept "less secure"
connections. See https://support.google.com/accounts/answer/6010255?hl=en

2.- Even though I had "less secure" connections enabled, each time I set
up a new server (another IP), for that IP I had to go through that
process covered in step 1.

Ignacio

El 14/01/2019 a las 16:22, Michael escribió:

> Hello,
>
> I have been using postfix on a local machine for a few years to act as
> a relay for my domain to send email out through gmail.
>
>
> This has worked well enough, but I noticed recently that I had some
> email queued up and was not getting emails out any longer.
>
>
> In my mailog, I am seeing these errors:
>
> Jan 14 08:16:18 deathstar postfix/smtp[16142]: 8CBF11E12B5:
> to=<[hidden email]>, relay=smtp.gmail.com[173.194.203.108]:587,
> delay=58297, delays=58297/0.05/0.71/0, dsn=4.7.0, status=deferred
> (SASL authentication failed; cannot authenticate to server
> smtp.gmail.com[173.194.203.108]: invalid parameter supplied)
>
> I have googled a lot, but I am not finding anything that matches this
> error message.   I am not sure also what might have changed to cause
> this.   Not sure if Google changed something or a package update broke
> something, etc.
>
>
> This is in Fedora 29, x86_64, postfix-3.3.1, and
> cyrus-sasl-lib-2.1.27-0.3rc7.
>
>
> output of postconf
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> command_directory = /usr/sbin
> compatibility_level = 2
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
> ddd $daemon_directory/$process_name $process_id & sleep 5
> html_directory = no
> inet_interfaces = localhost, $myhostname
> inet_protocols = ipv4
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> meta_directory = /etc/postfix
> mydestination = $myhostname, localhost.$mydomain, localhost
> mydomain = my.domain
> myhostname = deathstar.my.domain
> mynetworks = 192.168.0.0/16, 127.0.0.0/8
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix/README_FILES
> relayhost = [smtp.gmail.com]:587
> sample_directory = /usr/share/doc/postfix/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> shlib_directory = /usr/lib64/postfix
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
> smtp_sasl_security_options = noanonymous
> smtp_tls_CAfile = /root/.acme.sh/my.domain/my.domain.cer
> smtp_use_tls = yes
> unknown_local_recipient_reject_code = 550
>
>
> Any thoughts on what the error means and what I might need to change?
>
>
> Michael
>
>

Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Michael-129
In reply to this post by Viktor Dukhovni
On 1/14/19 9:06 AM, Viktor Dukhovni wrote:

>> On Jan 14, 2019, at 10:28 AM, Fazzina, Angelo <[hidden email]> wrote:
>>
>> Hi, I suspect this is wrong
>>
>> relayhost = [smtp.gmail.com]:587
> No, that setting is just fine.  Per the subject, the OP is having an issue
> with SASL authentication to this relay.
>
> Given:
>
>     smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
>
> The thing to check is whether the table contains correct information
> (without posting the password, or its base64 encoding to the list).
> The OP should run:
>
>     postmap -q "smtp.gmail.com" hash:/etc/postfix/sasl/passwd
>
> and make sure that the output contains the correct username and
> password (not posted here).
>

Thanks Viktor,


Your command does not return the right data, but:

postmap -q "[smtp.gmail.com]:587" hash:/etc/postfix/sasl/passwd


does return the right data.


Michael


Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

cvandesande
In reply to this post by Michael-129
Just a guess, but are you using App passwords for GMail?  It's possible
Gmail is enforcing some 2FA/MFA or otherwise some kind of "enhanced"
authentication.

Even if you aren't using 2FA, it might be worth giving a shot.

Chris.

On 2019-01-14 11:00 a.m., Michael wrote:

> On 1/14/19 8:30 AM, John Stoffel wrote:
>> Michael> I have been using postfix on a local machine for a few years
>> Michael> to act as a relay for my domain to send email out through
>> Michael> gmail.
>>
>> Michael> This has worked well enough, but I noticed recently that I
>> Michael> had some email queued up and was not getting emails out any
>> Michael> longer.
>>
>> Michael> In my mailog, I am seeing these errors:
>>
>> Michael> Jan 14 08:16:18 deathstar postfix/smtp[16142]: 8CBF11E12B5:
>> Michael> to=<[hidden email]>,
>> relay=smtp.gmail.com[173.194.203.108]:587,
>> Michael> delay=58297, delays=58297/0.05/0.71/0, dsn=4.7.0,
>> status=deferred (SASL
>> Michael> authentication failed; cannot authenticate to server
>> Michael> smtp.gmail.com[173.194.203.108]: invalid parameter supplied)
>>
>> It looks to me like your gmail password has changed.  Have you
>> confirmed that your settings are correct and that the
>> username/password still work?
>>
>> Michael> I have googled a lot, but I am not finding anything that
>> matches this
>> Michael> error message.   I am not sure also what might have changed
>> to cause
>> Michael> this.   Not sure if Google changed something or a package
>> update broke
>> Michael> something, etc.
>>
>>
>> Michael> This is in Fedora 29, x86_64, postfix-3.3.1, and
>> Michael> cyrus-sasl-lib-2.1.27-0.3rc7.
>>
>>
>> Michael> output of postconf
>>
>> Michael> alias_database = hash:/etc/aliases
>> Michael> alias_maps = hash:/etc/aliases
>> Michael> command_directory = /usr/sbin
>> Michael> compatibility_level = 2
>> Michael> daemon_directory = /usr/libexec/postfix
>> Michael> data_directory = /var/lib/postfix
>> Michael> debug_peer_level = 2
>> Michael> debugger_command =
>> PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
>> Michael> $daemon_directory/$process_name $process_id & sleep 5
>> Michael> html_directory = no
>> Michael> inet_interfaces = localhost, $myhostname
>> Michael> inet_protocols = ipv4
>> Michael> mail_owner = postfix
>> Michael> mailq_path = /usr/bin/mailq.postfix
>> Michael> manpage_directory = /usr/share/man
>> Michael> meta_directory = /etc/postfix
>> Michael> mydestination = $myhostname, localhost.$mydomain, localhost
>> Michael> mydomain = my.domain
>> Michael> myhostname = deathstar.my.domain
>> Michael> mynetworks = 192.168.0.0/16, 127.0.0.0/8
>> Michael> newaliases_path = /usr/bin/newaliases.postfix
>> Michael> queue_directory = /var/spool/postfix
>> Michael> readme_directory = /usr/share/doc/postfix/README_FILES
>> Michael> relayhost = [smtp.gmail.com]:587
>> Michael> sample_directory = /usr/share/doc/postfix/samples
>> Michael> sendmail_path = /usr/sbin/sendmail.postfix
>> Michael> setgid_group = postdrop
>> Michael> shlib_directory = /usr/lib64/postfix
>> Michael> smtp_sasl_auth_enable = yes
>> Michael> smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
>> Michael> smtp_sasl_security_options = noanonymous
>> Michael> smtp_tls_CAfile = /root/.acme.sh/my.domain/my.domain.cer
>> Michael> smtp_use_tls = yes
>> Michael> unknown_local_recipient_reject_code = 550
>>
>>
>> Michael> Any thoughts on what the error means and what I might need
>> to change?
>>
>> Double check your gmail access outside of postfix, and make sure the
>> password/username matches in your /etc/postfix/sasl/password file.
>
>
> Thanks John,
>
>
> I thought this might be the case as well.   I reset the password the
> account password and also re-setup the application password on the
> gmail account for postfix (in my my sasl password file). That didn't
> seem to make a difference.   Is there an easy way to test the app
> password on google?
>
>
> Michael
>
>
Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Michael-129
On 1/14/19 10:42 AM, Christopher van de Sande wrote:
> Just a guess, but are you using App passwords for GMail?  It's
> possible Gmail is enforcing some 2FA/MFA or otherwise some kind of
> "enhanced" authentication.
>
> Even if you aren't using 2FA, it might be worth giving a shot.


Yes, I am using an application password.   I have tried both the regular
account password and the application password with the same error.   I
am not sure how to test the application password with another tool.  
Any suggestions?


Michael


Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Michael-129
In reply to this post by cvandesande
On 1/14/19 10:42 AM, Christopher van de Sande wrote:

> Just a guess, but are you using App passwords for GMail?  It's
> possible Gmail is enforcing some 2FA/MFA or otherwise some kind of
> "enhanced" authentication.
>
> Even if you aren't using 2FA, it might be worth giving a shot.
>
>> I thought this might be the case as well.   I reset the password the
>> account password and also re-setup the application password on the
>> gmail account for postfix (in my my sasl password file). That didn't
>> seem to make a difference.   Is there an easy way to test the app
>> password on google?
>>
>>
>> Michael
>>
>>


I went back into my account and turned on less secure apps and turned
off 2FA.    I tried again with the regular password and the app
password.   Still the same error.     I hate when things work and then
suddenly break :(


Michael


Reply | Threaded
Open this post in threaded view
|

RE: New SASL error when relaying through gmail

angelo
Hi, can you manually use commands to test the U/P are working from your postfix server ?

1. Run this to test connectivity to your server
openssl s_client -starttls smtp -connect your.host.name:587
        Typical OUTPUT =
                250 DSN
                quit
                221 2.0.0 Bye
                closed

2. Run this to create a hash
python -c 'import base64,sys; u,p=sys.argv[1:3]; print base64.encodestring("%s\x00%s\x00%s" % (u,u,p))' username password
        OUTPUT = dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=
Replace username and password with real ones


Once Steps 1 and 2 work, you can test authentication with the hash in Step 3

3. Run the openssl commands and connect to your server.
        A. do and "ehlo domain" to see commands supported
                EXAMPLE :
                ehlo domain
                250-localpart.domain.part
                250-PIPELINING
                250-SIZE 31457280
                250-VRFY
                250-ETRN
                250-AUTH PLAIN LOGIN
                250-ENHANCEDSTATUSCODES
                250-8BITMIME
                250 DSN
        B. execute the AUTH PLAIN LOGIN command option using the HASH you made in Step 3
                AUTH PLAIN dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=

        C. look for output
                235 2.7.0 Authentication successful


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Michael
Sent: Monday, January 14, 2019 1:00 PM
To: [hidden email]
Subject: Re: New SASL error when relaying through gmail

On 1/14/19 10:42 AM, Christopher van de Sande wrote:

> Just a guess, but are you using App passwords for GMail?  It's
> possible Gmail is enforcing some 2FA/MFA or otherwise some kind of
> "enhanced" authentication.
>
> Even if you aren't using 2FA, it might be worth giving a shot.
>
>> I thought this might be the case as well.   I reset the password the
>> account password and also re-setup the application password on the
>> gmail account for postfix (in my my sasl password file). That didn't
>> seem to make a difference.   Is there an easy way to test the app
>> password on google?
>>
>>
>> Michael
>>
>>


I went back into my account and turned on less secure apps and turned
off 2FA.    I tried again with the regular password and the app
password.   Still the same error.     I hate when things work and then
suddenly break :(


Michael


Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Wietse Venema
In reply to this post by Michael-129
Michael:
> Jan 14 08:16:18 deathstar postfix/smtp[16142]: 8CBF11E12B5:
> to=<[hidden email]>, relay=smtp.gmail.com[173.194.203.108]:587,
> delay=58297, delays=58297/0.05/0.71/0, dsn=4.7.0, status=deferred (SASL
> authentication failed; cannot authenticate to server
> smtp.gmail.com[173.194.203.108]: invalid parameter supplied)

The 'invalid parameter supplied' is an error message the local SASL
library. This error happens while Postfix prepares to send the AUTH
command.

Why does the Cyrus SASL library return 'invalid parameter supplied'?
I can only speculate that it does not like something about the SASL
mechanism list (which Postfix got from the Gmail server), or something
about the username or password (which it got from local file).

It would be worthwhile to see the AUTH parameter in the server's
EHLO response before and after Postfix sends STARTTLS.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Michael-129
In reply to this post by angelo
On 1/14/19 11:09 AM, Fazzina, Angelo wrote:

> Hi, can you manually use commands to test the U/P are working from your postfix server ?
>
> 1. Run this to test connectivity to your server
> openssl s_client -starttls smtp -connect your.host.name:587
> Typical OUTPUT =
> 250 DSN
> quit
> 221 2.0.0 Bye
> closed
>
> 2. Run this to create a hash
> python -c 'import base64,sys; u,p=sys.argv[1:3]; print base64.encodestring("%s\x00%s\x00%s" % (u,u,p))' username password
> OUTPUT = dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=
> Replace username and password with real ones
>
>
> Once Steps 1 and 2 work, you can test authentication with the hash in Step 3
>
> 3. Run the openssl commands and connect to your server.
> A. do and "ehlo domain" to see commands supported
> EXAMPLE :
> ehlo domain
> 250-localpart.domain.part
> 250-PIPELINING
> 250-SIZE 31457280
> 250-VRFY
> 250-ETRN
> 250-AUTH PLAIN LOGIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> B. execute the AUTH PLAIN LOGIN command option using the HASH you made in Step 3
> AUTH PLAIN dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=
>
> C. look for output
> 235 2.7.0 Authentication successful
>

Thanks Angelo.   This is quite useful for debugging.   I spent many
hours today not getting authentication successful messages. I ultimately
turned off 2FA on google and got rid of the app passwords.   Then I
enabled insecure apps.   Once that is done, I can now get a 235 2.7.0
Accepted message.


However, I am still getting these messages when postfix tries to relay.

Jan 15 12:43:35 deathstar postfix/smtp[32233]: A90511E0963:
to=<[hidden email]>, relay=smtp.gmail.com[74.125.142.109]:587,
delay=98478, delays=98477/0.04/0.94/0, dsn=4.7.0, status=deferred (SASL
authentication failed; cannot authenticate to server
smtp.gmail.com[74.125.142.109]: invalid parameter supplied)

Michael



Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Michael-129
In reply to this post by Wietse Venema
On 1/14/19 11:19 AM, Wietse Venema wrote:

> The 'invalid parameter supplied' is an error message the local SASL
> library. This error happens while Postfix prepares to send the AUTH
> command.
>
> Why does the Cyrus SASL library return 'invalid parameter supplied'?
> I can only speculate that it does not like something about the SASL
> mechanism list (which Postfix got from the Gmail server), or something
> about the username or password (which it got from local file).
>
> It would be worthwhile to see the AUTH parameter in the server's
> EHLO response before and after Postfix sends STARTTLS.
>
> Wietse


Thanks Wietse,


Using Angelo's testing methodology, I can see this:

250-smtp.gmail.com at your service, [68.226.113.229]
250-SIZE 35882577
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8


I am not sure how to check from postfix.


Michael

Reply | Threaded
Open this post in threaded view
|

RE: New SASL error when relaying through gmail

angelo
It may be time to crank up debug level on Postfix or do tcpdump capture to see what you are sending over the wire when it works and when it doesn't ?


-ANGELO FAZZINA

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Michael
Sent: Tuesday, January 15, 2019 2:48 PM
To: [hidden email]
Subject: Re: New SASL error when relaying through gmail

On 1/14/19 11:19 AM, Wietse Venema wrote:

> The 'invalid parameter supplied' is an error message the local SASL
> library. This error happens while Postfix prepares to send the AUTH
> command.
>
> Why does the Cyrus SASL library return 'invalid parameter supplied'?
> I can only speculate that it does not like something about the SASL
> mechanism list (which Postfix got from the Gmail server), or something
> about the username or password (which it got from local file).
>
> It would be worthwhile to see the AUTH parameter in the server's
> EHLO response before and after Postfix sends STARTTLS.
>
> Wietse


Thanks Wietse,


Using Angelo's testing methodology, I can see this:

250-smtp.gmail.com at your service, [68.226.113.229]
250-SIZE 35882577
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8


I am not sure how to check from postfix.


Michael

Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Viktor Dukhovni
In reply to this post by Michael-129

> On Jan 15, 2019, at 2:47 PM, Michael <[hidden email]> wrote:
>
> Using Angelo's testing methodology, I can see this:
>
> 250-smtp.gmail.com at your service, [68.226.113.229]
> 250-SIZE 35882577
> 250-8BITMIME
> 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-CHUNKING
> 250 SMTPUTF8
>
>
> I am not sure how to check from postfix.

        smtp_sasl_mechanism_filter = plain

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Michael-129
On 1/15/19 1:05 PM, Viktor Dukhovni wrote:

>> On Jan 15, 2019, at 2:47 PM, Michael <[hidden email]> wrote:
>>
>> Using Angelo's testing methodology, I can see this:
>>
>> 250-smtp.gmail.com at your service, [68.226.113.229]
>> 250-SIZE 35882577
>> 250-8BITMIME
>> 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
>> 250-ENHANCEDSTATUSCODES
>> 250-PIPELINING
>> 250-CHUNKING
>> 250 SMTPUTF8
>>
>>
>> I am not sure how to check from postfix.
> smtp_sasl_mechanism_filter = plain
>

Awesome Viktor!  With that in place, mail is now flowing again!


I really appreciate everyones responses that help guide me to a solution.


Michael


Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Wietse Venema
In reply to this post by Michael-129
Michael:

> On 1/14/19 11:19 AM, Wietse Venema wrote:
>
> > The 'invalid parameter supplied' is an error message the local SASL
> > library. This error happens while Postfix prepares to send the AUTH
> > command.
> >
> > Why does the Cyrus SASL library return 'invalid parameter supplied'?
> > I can only speculate that it does not like something about the SASL
> > mechanism list (which Postfix got from the Gmail server), or something
> > about the username or password (which it got from local file).
> >
> > It would be worthwhile to see the AUTH parameter in the server's
> > EHLO response before and after Postfix sends STARTTLS.
> >
> > Wietse
>
>
> Thanks Wietse,
>
>
> Using Angelo's testing methodology, I can see this:
>
> 250-smtp.gmail.com at your service, [68.226.113.229]
> 250-SIZE 35882577
> 250-8BITMIME
> 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH

Maybe it does not like the AUTH line. What happens when you
only keep the "250-AUTH LOGIN PLAIN" part?

   /etc/postfix/main.cf:
       smtp_reply_filter = pcre:/etc/postfix/reply_filter

   /etc/postfix/reply_filter:
       /^(250.AUTH LOGIN PLAIN)/ $1

Caution: this is a sharp tool that replaces server responses.

        Wietse

Reply | Threaded
Open this post in threaded view
|

Re: New SASL error when relaying through gmail

Wietse Venema
Wietse Venema:

> Michael:
> > On 1/14/19 11:19 AM, Wietse Venema wrote:
> >
> > > The 'invalid parameter supplied' is an error message the local SASL
> > > library. This error happens while Postfix prepares to send the AUTH
> > > command.
> > >
> > > Why does the Cyrus SASL library return 'invalid parameter supplied'?
> > > I can only speculate that it does not like something about the SASL
> > > mechanism list (which Postfix got from the Gmail server), or something
> > > about the username or password (which it got from local file).
> > >
> > > It would be worthwhile to see the AUTH parameter in the server's
> > > EHLO response before and after Postfix sends STARTTLS.
> > >
> > > Wietse
> >
> >
> > Thanks Wietse,
> >
> >
> > Using Angelo's testing methodology, I can see this:
> >
> > 250-smtp.gmail.com at your service, [68.226.113.229]
> > 250-SIZE 35882577
> > 250-8BITMIME
> > 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
>
> Maybe it does not like the AUTH line. What happens when you
> only keep the "250-AUTH LOGIN PLAIN" part?
>
>    /etc/postfix/main.cf:
>        smtp_reply_filter = pcre:/etc/postfix/reply_filter
>
>    /etc/postfix/reply_filter:
>        /^(250.AUTH LOGIN PLAIN)/ $1
>
> Caution: this is a sharp tool that replaces server responses.

Ignore this, Viktor's SASL mechanism filter is better.

        Wietse