SMTP Relay SASL authentication failure: No worthy mechs found

Here is the transcript from the successful swans test. Note that the TLS connection is established before the authentication takes place:

=== Trying p3plcpnl0508.prod.phx3.secureserver.net:465...

=== Connected to p3plcpnl0508.prod.phx3.secureserver.net.

=== TLS started with cipher TLSv1:DHE-RSA-AES256-SHA:256

=== TLS no local certificate set

=== TLS peer DN="/C=US/ST=Arizona/O=Special Domain Services, LLC/CN=*.prod.phx3.secureserver.net"

<~ 220-p3plcpnl0508.prod.phx3.secureserver.net ESMTP Exim 4.85 #2 Mon, 22 Feb 2016 14:57:39 -0700

<~ 220-We do not authorize the use of this system to transport unsolicited,

<~ 220 and/or bulk e-mail.

~> EHLO xxx.domain.com

<~ 250-p3plcpnl0508.prod.phx3.secureserver.net Hello

<~ 250-SIZE 52428800

<~ 250-8BITMIME

<~ 250-PIPELINING

<~ 250-AUTH PLAIN LOGIN

<~ 250 HELP

~> AUTH LOGIN

<~ 334 xxxxx

~> xxxxxx==

<~ 334 xxxxxxx

~> xxxxxxxx==

<~ 235 Authentication succeeded

.

.

.

<~ 250 OK id=-xxxxx

~> QUIT

<~ 221 p3plcpnl0508.prod.phx3.secureserver.net closing connection

=== Connection closed with remote host.

I believe the server expects "AUTH PLAIN LOGIN", normally insecure, but here it happens within a secure TLS "tunnel".

How do I get Postfix to emulate this behavior?

To answer my own question, CPanel (11.40) expects a non-encrypted log-in on port 465 over a TLS tunnel. Apparently, Postfix cannot provide this kind of log-in. Here is what I did to work-around the problem on Mac OS X 10.11, Server 5:

Download, make and install (via MacPorts): stunnel. This utility listens on a port on the local server through which Postfix can log into the CPanel SMTP server. Here, I arbitrarily picked port 5000. stunnel requires a configuration file: /usr/local/etc/stunnel/stunnel.conf

client = yes

[smtps]

accept = 5000

connect = p3plcpnl0508.prod.phx3.secureserver.net:465

and a launchd plist to start it after reboot: in my case: /Library/LaunchDaemons/com.ascs.stunnel.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN

http://www.apple.com/DTDs/PropertyList-1.0.dtd >

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.ascs.stunnel</string>

<key>UserName</key>

<string>_postfix</string>

<key>Program</key>

<string>/usr/local/bin/stunnel</string>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

Finally, launch stunnel:

sudo launchctl bootstrap system /Library/LaunchDaemons/com.ascs.stunnel.plist

Confirm stunnel is listening:

sudo lsof -i -P | grep "5000"

Test stunnel as follows:

telnet localhost 5000

You should see the log-in of your mail server. (Use command "quit" to exit the server.)

Next, configure Postfix to use the plain login. Add these lines, just above the bottom row of "=====", to /Library/Server/Mail/Config/postfix/main.cf

smtp_sasl_security_options = noanonymous

smtp_use_tls = no

…and restart Postfix (after first checking status):

postfix -c /Library/Server/Mail/Config/postfix status

postfix -c /Library/Server/Mail/Config/postfix reload

Then, in Server -> Mail -> Relay Options -> Outgoing Mail Relay: localhost:5000, with the authentication credentials of the relay server.

Now, in the SMTP Log, you should see outgoing mail routed to the relay server.

Unfortunately, I have seen stunnel stop working after a couple of days, maybe if the relay server goes offline for some reason. Perhaps the launchd plist should specify "KeepAlive" instead of run-once, but I had trouble getting that to work and did not get deeper into it.

Comments? Corrections?