Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: wealthychef
wealthychef Author
User level: Level 1
74 points

SASL authentication failed; cannot authenticate to server smtp.comcast.net[76.96.40.155]: no mechanism available

Hi, I am trying to put the final touches on my postfix/fetchmail setup. Please please tell me if this is the wrong forum.

HELP! :-)

Mostly it's working but the crucial piece I'm missing is the ability to send mail to other hosts through my comcast relay from the command line.

I can send mail from my Mail.app client. There is just some little SASL detail or something going on here that I'm missing. I could use a good pair of eyes for help!


To put it in a nutshell, here is what I'm seeing in the logs when I do "postfix flush":

Note that I can telnet to smtp.comcast.net 587 and make a connection, so I am ignoring "no route to host" messages at the moment. Especially since you can see it does connect. Config logs are below. Sorry for the long message, but I'm hopefully anticipating the questions a knowledgable expert might ask of me. :-)

================================================================================ =============

# LOG FILE CONTENTS:

Aug 15 12:48:27 RichCookHomeMac postfix/qmgr[60944]: 810762983FD0: from=<***>, size=332, nrcpt=1 (queue active)

Aug 15 12:48:27 RichCookHomeMac postfix/qmgr[60944]: AED65298168E: from=<***>, size=327, nrcpt=1 (queue active)

Aug 15 12:48:27 RichCookHomeMac postfix/qmgr[60944]: AF585298168F: from=<***>, size=327, nrcpt=1 (queue active)

Aug 15 12:48:27 RichCookHomeMac postfix/qmgr[60944]: C873A29816BA: from=<***>, size=306, nrcpt=1 (queue active)

Aug 15 12:48:27 RichCookHomeMac postfix/qmgr[60944]: CFE0E2983B7C: from=<***>, size=302, nrcpt=1 (queue active)

Aug 15 12:48:27 RichCookHomeMac postfix/qmgr[60944]: D71C029816E8: from=<***>, size=307, nrcpt=1 (queue active)

Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61130]: connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host

Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61133]: connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host

Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61132]: connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host

Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61132]: CFE0E2983B7C: to=<***>, relay=smtp.comcast.net[76.96.40.155]:587, delay=1844, delays=1844/0/0.09/0, dsn=4.0.0, status=deferred (host smtp.comcast.net[76.96.40.155] refused to talk to me: 421 omta14.emeryville.ca.mail.comcast.net comcast Too many sessions opened)

Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61130]: Untrusted TLS connection established to smtp.comcast.net[76.96.40.155]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61133]: Untrusted TLS connection established to smtp.comcast.net[76.96.40.155]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61131]: Untrusted TLS connection established to smtp.comcast.net[76.96.40.155]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61134]: Untrusted TLS connection established to smtp.comcast.net[76.96.40.155]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61130]: warning: SASL authentication failure: No worthy mechs found

Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61130]: AED65298168E: to=<***>, relay=smtp.comcast.net[76.96.40.155]:587, delay=190442, delays=190441/0/0.39/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.comcast.net[76.96.40.155]: no mechanism available)

Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61133]: warning: SASL authentication failure: No worthy mechs found

Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61133]: 810762983FD0: to=<***>, relay=smtp.comcast.net[76.96.40.155]:587, delay=1162, delays=1161/0/0.4/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.comcast.net[76.96.40.155]: no mechanism available)

Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61131]: warning: SASL authentication failure: No worthy mechs found

Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61131]: AF585298168F: SASL authentication failed; cannot authenticate to server smtp.comcast.net[76.96.40.155]: no mechanism available

Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61134]: warning: SASL authentication failure: No worthy mechs found

Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61134]: C873A29816BA: SASL authentication failed; cannot authenticate to server smtp.comcast.net[76.96.40.155]: no mechanism available

Aug 15 12:48:28 RichCookHomeMac postfix/error[61137]: D71C029816E8: to=<***>, relay=none, delay=190645, delays=190645/0.41/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: SASL authentication failed; cannot authenticate to server smtp.comcast.net[76.96.40.155]: no mechanism available)

Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61131]: connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host

Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61131]: AF585298168F: to=<***>, relay=none, delay=190350, delays=190349/0/0.42/0, dsn=4.4.1, status=deferred (connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host)

Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61134]: connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host

Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61134]: C873A29816BA: to=<***>, relay=none, delay=190865, delays=190864/0/0.43/0, dsn=4.4.1, status=deferred (connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host)



================================================================================ =============

# main.cf:

mydomain_fallback = localhost

# message_size_limit = 10485760 # commented out by Rich Cook

biff = no

#mynetworks = 127.0.0.0/8, [::1]/128

#smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit

recipient_delimiter = +

smtpd_tls_ciphers = medium

inet_protocols = all

inet_interfaces = loopback-only

#======================================================================

# Rich Cook mods:

message_size_limit = 0


relayhost=[smtp.comcast.net]:587

smtp_sasl_auth_enable=yes

smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd

smtp_use_tls = yes

mydestination=localhost,localhost.$myhostname,$myhostname,localhost.richcook.net ,richcook.net



# Based off of MailServe Pro stuff

# See TRUST AND RELAY CONTROL section above

# Also see man 5 postconf

smtpd_sasl_auth_enable=yes

smtpd_use_pw_server=yes

enable_server_options=yes

smtpd_pw_server_security_options=plain, login

smtp_tls_loglevel=1

smtpd_sasl_security_options=noanonymous

smtp_tls_security_level=encrypt

broken_sasl_auth_clients=yes

# commented out as I do not fully understand yet, but does not fix to put it back in.

# smtpd_recipient_restrictions=check_sender_access hash:/etc/postfix/access, check_client_access hash:/etc/postfix/access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access hash:/etc/postfix/access

smtpd_sasl_local_domain=$mydomain

smtp_sasl_mechanism_filter =


# =========================================================================

root@RichCookHomeMac (postfix ): ls -l /etc/postfix/

total 392

-rw-r--r-- 1 root wheel 11942 Feb 8 2014 LICENSE

-rw-r--r-- 1 root wheel 1629 Feb 8 2014 TLS_LICENSE

-rw-r--r-- 1 root wheel 20876 Feb 8 2014 access

-rw-r--r-- 1 root wheel 16384 Aug 15 12:17 access.db

-rw-r--r-- 1 root wheel 8830 Aug 15 12:28 aliases

-rw-r--r-- 1 root wheel 8829 Jun 1 14:57 aliases.desktop

-rw-r--r-- 1 root wheel 3548 Feb 8 2014 bounce.cf.default

-rw-r--r-- 1 root wheel 11681 Feb 8 2014 canonical

-rw-r--r-- 1 root wheel 44 Feb 8 2014 custom_header_checks

-rw------- 1 root wheel 157 Aug 15 11:37 fetchmailrc

-rw-r--r-- 1 root wheel 9904 Feb 8 2014 generic

-rw-r--r-- 1 root wheel 21535 Feb 8 2014 header_checks

-rw-r--r-- 1 root wheel 28864 Aug 15 12:43 main.cf

-rw-r--r-- 1 root wheel 26970 Feb 8 2014 main.cf.default

-rw-r--r-- 1 root wheel 26155 Jun 1 15:04 main.cf.upgradedMtnLion

-rw-r--r-- 1 root wheel 27430 Feb 8 2014 main.cf~orig

-rw-r--r-- 1 root wheel 1441 Feb 8 2014 makedefs.out

-rw-r--r-- 1 root wheel 7443 Feb 8 2014 master.cf

-rw-r--r-- 1 root wheel 7443 Feb 8 2014 master.cf.default

-rw-r--r-- 1 root wheel 18473 Feb 8 2014 postfix-files

-rw-r--r-- 1 root wheel 6816 Feb 8 2014 relocated

-rw-r----- 1 root wheel 44 Aug 15 10:56 sasl_passwd

-rw-r----- 1 root wheel 16384 Aug 15 12:18 sasl_passwd.db

-rw-r--r-- 1 root wheel 12549 Feb 8 2014 transport

-rw-r--r-- 1 root wheel 12494 Feb 8 2014 virtual


<Email Edited By Host>

PowerMac, OS X Mavericks (10.9), 14 GB RAM, 2.8 GHz Quad Core

Posted on Aug 15, 2014 1:00 PM

Reply
17 replies
User profile for user: wealthychef
wealthychef Author
User level: Level 1
74 points

Aug 15, 2014 1:15 PM in response to wealthychef

One note: I installed the following with MacPorts, but I'm not sure if postfix can find them:


cyrus-sasl2 @2.1.26 security/cyrus-sasl2

libgsasl @1.8.0 security/libgsasl


How can I test my SASL setup?


I think this means I have SASL in postfix:


root@RichCookHomeMac (postfix ): postconf -a

cyrus

dovecot

root@RichCookHomeMac (postfix ): postconf -A

cyrus

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Aug 15, 2014 2:05 PM in response to wealthychef

Take the following steps to configure Postfix to relay mail to a remote SMTP server with password authentication over SSL. Substitute as required for strings in italics below. Address is the fully-qualified domain name of the relay host. The value of port is usually either 25, 465, or 587. Username and password refer to your credentials on the relay host.

In the current version of OS X Server (but not necessarily in older versions), Steps 1 and 3 should be done for you when you enable relaying and relay authentication in the Server application.

1. If necessary, create or update the relayhost directive in

/Library/Server/Mail/Config/postfix/main.cf

It should look like this:

relayhost = [address]:port

2. Add these lines, above the section at the end that begins with the comment "# Mac OS X Server":

smtp_sasl_security_options =

smtp_tls_CAfile = /etc/certificates/relayhost.pem

smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache

smtp_use_tls = yes

3. If it doesn't already exist, create the password file

/Library/Server/Mail/Config/postfix/sasl/passwd

with this content:

[address]:port

username:password

Here address must match $relayhost.

Then create the password database:

sudo postmap /Library/Server/Mail/Config/postfix/sasl/passwd

This action creates the file

/Library/Server/Mail/Config/postfix/sasl/passwd.db

The two password files should be readable by root only.

4. Create the file

/etc/certificates/relayhost.pem

with the CA certificate(s) to be trusted for authentication of the remote host. You get those certificates from the service provider. If you can't find a link to download them, try this:

openssl s_client -connect address:port -showcerts < /dev/null | sed -n '/-BEGIN /,/-END /p' | sudo sh -c 'cat > /etc/certificates/relayhost.pem'

The command may produce an error message that isn't necessarily significant. For servers that use the older STARTTLS protocol, rather than straight TLS or SSL, this command may need to be modified.

5. Restart the Mail service.

Reply
User profile for user: wealthychef
wealthychef Author
User level: Level 1
74 points

Aug 15, 2014 2:56 PM in response to Linc Davis

Thanks for putting that out there. Maybe it will help somebody else. I wish those generic instructions helped, but I think they mostly ignore what I've written. Step 1 is done already. Are you saying that the error about SASL authentication is caused by a lacking certificate? That doesn't make sense; Mail.app is able to send mail through my server so why can't sendmail just do the same thing?

Reply
User profile for user: wealthychef
wealthychef Author
User level: Level 1
74 points

Aug 15, 2014 7:23 PM in response to Linc Davis

What I'm trying to accomplish is just I am trying to make my mail work. I have steps 1-3 done, but don't understand what you mean by step 4. I don't know that Comcast (my ISP) provides certificates and don't know where I would find this out.


In your command

openssl s_client -connect address:port -showcerts < /dev/null | sed -n '/-BEGIN /,/-END /p' | sudo sh -c 'cat > /etc/certificates/relayhost.pem'


What address:port should I use?

What I don't understand is why you think a missing certificate is causing the error in my log. When I connect from Mail.app, I'm able to send mail without a problem. Is Mail.app using a certificate? Can I just use its certificate somehow?

Reply
User profile for user: wealthychef
wealthychef Author
User level: Level 1
74 points

Aug 15, 2014 8:59 PM in response to wealthychef

I think I give up. I believe that SMTP relay through comcast is somehow blocked. I don't know why postfix cannot do what my email client can do, but if anyone has any suggestions I'm open to trying. If anyone has this working I'd love to hear about it. I have not seen anyone that does, unless they have some sort of business arrangement for it. It seems understandable as with a relay you can be a spammer, but my aims are more simple, I just want to be able to send mail from the command line to other places.

Reply
User profile for user: wealthychef
wealthychef Author
User level: Level 1
74 points

Aug 15, 2014 9:03 PM in response to wealthychef

OK I think I give up. It looks to me like comcast and google just don't allow smtp relay. I don't know why postfix cannot manage to do what my email client can do. If there is anyone out there that has this working I'd love to hear how to do it. Doesn't matter if I do it with Server.app, or straight postfix, or whatever. I cannot make it work. But Mail.app works fine, as it just gives a username and password to the smtp server at comcast. Why can't postfix do this? Seems odd. I suspect I could do this through something like python perhaps. Might try that next. But it might need smtp and then I'd be at square one.

Anyhow, at least one grumpy guy tried to help me, so I suppose I should be thankful. :-)

Reply
User profile for user: wealthychef
wealthychef Author
User level: Level 1
74 points

Aug 16, 2014 3:40 PM in response to wealthychef

After extensive puzzilng, I have solved the problem by asking on a postfix mailing list, who are friendly and helpful, unlike some people on the internet. The problem is in my main.cf file. Here is my working configuration for the benefit of others. I'm done. I now can send mail from the command line to other machines. I forgot why I was even doing this. After a while, I just wanted to know why the heck I couldn't do it. :-)


SOLUTION:


1) First, I made a sasl_passwd file with the following in it (username and password obfuscated here obviously) and ran postmap to hash it:


echo '[smtp.comcast.net]:587 username:password' > /etc/postfix/sasl_passwd

postmap hash:/etc/postfix/sasl_passwd


2) Then I modified the main.cf to have the settings shown below.


#======================================================================

# Apple additions:

mydomain_fallback = localhost

biff = no

inet_protocols = all

inet_interfaces = loopback-only

#======================================================================

# Rich Cook mods:

message_size_limit = 0

mydomain = richcook.net

myhostname = richcook.net

mynetworks=192.168.0.0/16,rcmac.llnl.gov,localhost,mom.richcook.net

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject


relayhost=[smtp.comcast.net]:587

smtp_sasl_auth_enable=yes

smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd

# smtp_tls_security_level is "better" than smtp_use_tls but does the same purpose here:

smtp_tls_security_level = may

# smtp_use_tls = yes

# smtp_tls_loglevel=3

smtpd_sasl_auth_enable=yes

smtpd_use_pw_server=yes

enable_server_options=yes

smtpd_pw_server_security_options=plain, login

smtp_sasl_security_options = noplaintext, noanonymous

smtp_sasl_tls_security_options = noanonymous

broken_sasl_auth_clients=yes

smtpd_sasl_local_domain=$mydomain

smtp_sasl_mechanism_filter =

Reply

SASL authentication failed; cannot authenticate to server smtp.comcast.net[76.96.40.155]: no mechanism available

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up