Bug 995900

Summary: Postfix should say authentication fails because the corresponding cyrus sasl module isn't installed
Product: [Fedora] Fedora Reporter: David Tonhofer <bughunt>
Component: postfixAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jskarvad
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-12 11:35:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Tonhofer 2013-08-11 22:59:41 UTC 
Description of problem:
-----------------------

Probably needs to be kicked upstream.

Configure postfix to do STARTTLS + SASL password authentication. Anonyomous login is disallowed using "noanonymous"

It just doesn't work.

In the log:

Aug 11 22:39:50 ip-10-178-10-122 postfix/smtp[12978]: starting new SASL client
Aug 11 22:39:50 ip-10-178-10-122 postfix/smtp[12978]: name_mask: noanonymous
Aug 11 22:39:50 ip-10-178-10-122 postfix/smtp[12978]: smtp_sasl_authenticate: mail.your-server.de[78.46.5.205]:587: SASL mechanisms LOGIN PLAIN
Aug 11 22:39:50 ip-10-178-10-122 postfix/smtp[12978]: warning: SASL authentication failure: No worthy mechs found

After some time it turns out that postfix/smtp does not find "worthy mechs" for plaintext login because....

$ yum install cyrus-sasl-plain

was not performed, i.e. the Cyrus SASL module was missing

Postfix should really say "I can't do it ... and these are the mechanisms currently known: ... maybe look at your cyrus sasl packages"

So that one gets a hint about what might be going wrong.

Version-Release
---------------

postfix-2.10.1-1.fc19.x86_64
Comment 1 Jaroslav Škarvada 2013-08-12 11:35:32 UTC 
This is documented, http://www.postfix.org/SASL_README.html#client_sasl:

> This default policy, which allows no plaintext passwords, leads to
> authentication failures if the remote server only offers plaintext
> authentication mechanisms (the SMTP server announces "AUTH PLAIN LOGIN"). In
> such cases the SMTP client will log the following error message:
>
>    SASL authentication failure: No worthy mechs found
>
>    Note
>
>    This same error message will also be logged when the libplain.so or
> liblogin.so modules are not installed in the /usr/lib/sasl2 directory.

The libplain.so and liblogin.so are provided by 'cyrus-sasl-plain' package and this package is provided by 'standard' group which is required by most of the other groups.

This shouldn't happen in the default installation and it is also documented in the upstream documentation, thus it is not a bug, but RFE that should be addressed upstream.