Larry Goldman
Level 1 (9 points)
Servers Enterprise

Q: SMTP Relay SASL authentication failure: No worthy mechs found

I am setting up the Mail service on OS X Server 5.0.4, running on OS X 10.11.3.

 

Specifically, I am trying to get SMTP Relay to work with a CPanel outgoing email service. (http://cpanel.com/)

 

I was able to successfully send mail through the relay server using the "swaks" utility (http://jetmore.org/john/code/swaks/). In this case, I used the "SSMTPA" protocol: require authentication, initiate a TLS connection immediately on connection to port 465.

 

When I configure OS X Server to use the same relay server, port, and user authentication, the error returned is:

postfix/smtp[63995]: CLIENT wrappermode (port smtps/465) is unimplemented

postfix/smtp[63995]: instead, send to (port submission/587) with STARTTLS

When I change the port to 587, the error becomes:

postfix/smtp[64195]: Untrusted TLS connection established to p3plcpnl0508.prod.phx3.secureserver.net[50.62.176.35]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

postfix/smtp[64195]: warning: SASL authentication failure: No worthy mechs found

postfix/smtp[64195]: 4E0EE9B9B5: to=<larrygoldman@mac.com>, relay=p3plcpnl0508.prod.phx3.secureserver.net[50.62.176.35]:587, delay=5.3, delays=0/0.03/5.3/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server p3plcpnl0508.prod.phx3.secureserver.net[50.62.176.35]: no mechanism available)

 

I believe the problem is that the relay server does not implement the STARTTLS protocol.

 

How to implement the "wrappermode" in the Server's Postfix?

OS X Server

Posted on Feb 22, 2016 3:41 PM

Close
Larry Goldman

Q: SMTP Relay SASL authentication failure: No worthy mechs found

  • All replies
  • Helpful answers

  • by Larry Goldman,

    Larry Goldman Larry Goldman Feb 22, 2016 4:53 PM in response to Larry Goldman
    Level 1 (9 points)
    Servers Enterprise
    Feb 22, 2016 4:53 PM in response to Larry Goldman

    Here is the transcript from the successful swans test. Note that the TLS connection is established before the authentication takes place:

    === Trying p3plcpnl0508.prod.phx3.secureserver.net:465...

    === Connected to p3plcpnl0508.prod.phx3.secureserver.net.

    === TLS started with cipher TLSv1:DHE-RSA-AES256-SHA:256

    === TLS no local certificate set

    === TLS peer DN="/C=US/ST=Arizona/O=Special Domain Services, LLC/CN=*.prod.phx3.secureserver.net"

    <~  220-p3plcpnl0508.prod.phx3.secureserver.net ESMTP Exim 4.85 #2 Mon, 22 Feb 2016 14:57:39 -0700

    <~  220-We do not authorize the use of this system to transport unsolicited,

    <~  220 and/or bulk e-mail.

    ~> EHLO xxx.domain.com

    <~  250-p3plcpnl0508.prod.phx3.secureserver.net Hello

    <~  250-SIZE 52428800

    <~  250-8BITMIME

    <~  250-PIPELINING

    <~  250-AUTH PLAIN LOGIN

    <~  250 HELP

    ~> AUTH LOGIN

    <~  334 xxxxx

    ~> xxxxxx==

    <~  334 xxxxxxx

    ~> xxxxxxxx==

    <~  235 Authentication succeeded

    .

    .

    .

    <~  250 OK id=-xxxxx

    ~> QUIT

    <~  221 p3plcpnl0508.prod.phx3.secureserver.net closing connection

    === Connection closed with remote host.

  • by pterobyte,

    pterobyte pterobyte Feb 23, 2016 2:35 AM in response to Larry Goldman
    Level 6 (11,101 points)
    Servers Enterprise
    Feb 23, 2016 2:35 AM in response to Larry Goldman

    The error message you see complains about authentications not TLS. While it considers the TLS connections untrusted, it still connects.

    You need to find out which authentication methods the relay host expects and then make those available on your server.

  • by Larry Goldman,

    Larry Goldman Larry Goldman Feb 23, 2016 8:13 AM in response to pterobyte
    Level 1 (9 points)
    Servers Enterprise
    Feb 23, 2016 8:13 AM in response to pterobyte

    I believe the server expects "AUTH PLAIN LOGIN", normally insecure, but here it happens within a secure TLS "tunnel".

     

    How do I get Postfix to emulate this behavior?

  • by pterobyte,

    pterobyte pterobyte Feb 23, 2016 8:32 AM in response to Larry Goldman
    Level 6 (11,101 points)
    Servers Enterprise
    Feb 23, 2016 8:32 AM in response to Larry Goldman

    You will need to tell the Postfix client to allow plaintext by modifying main.cf and setting:

    smtp_sasl_auth_enable = yes

    smtp_sasl_security_options =

     

    Do not confuse with smtpd_sasl_security_options which are used for incoming connections to your server. There you definitely do not want plain text authentication on port 25

     

    This should probably get you going unless the relaying server has additional requirements. For more parameters see here:

    http://www.postfix.org/postconf.5.html

     

    HTH,

    Alex

     

    P.S. Since you mentioned you use Swaks, I assume you know your way around the configuration files for Postfix

  • by Larry Goldman,

    Larry Goldman Larry Goldman Mar 8, 2016 10:12 AM in response to Larry Goldman
    Level 1 (9 points)
    Servers Enterprise
    Mar 8, 2016 10:12 AM in response to Larry Goldman

    To answer my own question, CPanel (11.40) expects a non-encrypted log-in on port 465 over a TLS tunnel. Apparently, Postfix cannot provide this kind of log-in. Here is what I did to work-around the problem on Mac OS X 10.11, Server 5:

     

    Download, make and install (via MacPorts): stunnel. This utility listens on a port on the local server through which Postfix can log into the CPanel SMTP server. Here, I arbitrarily picked port 5000. stunnel requires a configuration file: /usr/local/etc/stunnel/stunnel.conf

    client = yes

     

     

    [smtps]

    accept = 5000

    connect = p3plcpnl0508.prod.phx3.secureserver.net:465

    and a launchd plist to start it after reboot: in my case: /Library/LaunchDaemons/com.ascs.stunnel.plist

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN

    http://www.apple.com/DTDs/PropertyList-1.0.dtd >

    <plist version="1.0">

    <dict>

      <key>Label</key>

      <string>com.ascs.stunnel</string>

      <key>UserName</key>

      <string>_postfix</string>

      <key>Program</key>

      <string>/usr/local/bin/stunnel</string>

      <key>RunAtLoad</key>

      <true/>

    </dict>

    </plist>

    Finally, launch stunnel:

    sudo launchctl bootstrap system /Library/LaunchDaemons/com.ascs.stunnel.plist

    Confirm stunnel is listening:

    sudo lsof -i -P | grep "5000"

    Test stunnel as follows:

    telnet localhost 5000

    You should see the log-in of your mail server. (Use command "quit" to exit the server.)

     

    Next, configure Postfix to use the plain login. Add these lines, just above the bottom row of "=====", to /Library/Server/Mail/Config/postfix/main.cf

    smtp_sasl_security_options = noanonymous

    smtp_use_tls = no

     

    …and restart Postfix (after first checking status):

    postfix -c /Library/Server/Mail/Config/postfix status

    postfix -c /Library/Server/Mail/Config/postfix reload

     

    Then, in Server -> Mail -> Relay Options -> Outgoing Mail Relay: localhost:5000, with the authentication credentials of the relay server.

     

    Now, in the SMTP Log, you should see outgoing mail routed to the relay server.

     

    Unfortunately, I have seen stunnel stop working after a couple of days, maybe if the relay server goes offline for some reason. Perhaps the launchd plist should specify "KeepAlive" instead of run-once, but I had trouble getting that to work and did not get deeper into it.

     

    Comments? Corrections?