Postfix + Cyrus not working

Question

I have a problem. I have configured postfix for run with cyrus, and it's still not working.

/var/log/mail.log

Nov 29 10:44:24 mail postfix/submission/smtpd[32229]: connect from out.example.com[xxx.xxx.xxx.xxx]
Nov 29 10:44:55 mail postfix/submission/smtpd[32229]: timeout after EHLO from out.example.com[xxx.xxx.xxx.xxx]
Nov 29 10:44:57 mail postfix/submission/smtpd[32229]: disconnect from out.example.com[xxx.xxx.xxx.xxx] ehlo=2 starttls=1 commands=3
Nov 29 10:45:10 mail postfix/submission/smtpd[32229]: connect from out.example.com[xxx.xxx.xxx.xxx]
Nov 29 10:45:12 mail postfix/submission/smtpd[32229]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
Nov 29 10:45:12 mail postfix/submission/smtpd[32229]: warning: SASL authentication failure: Password verification failed
Nov 29 10:45:12 mail postfix/submission/smtpd[32229]: warning: out.example.com[xxx.xxx.xxx.xxx]: SASL PLAIN authentication failed: generic failure
Nov 29 10:45:12 mail postfix/submission/smtpd[32229]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
Nov 29 10:45:12 mail postfix/submission/smtpd[32229]: warning: out.example.com[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: generic failure
Nov 29 10:45:42 mail postfix/submission/smtpd[32229]: timeout after AUTH from out.example.com[xxx.xxx.xxx.xxx]
Nov 29 10:45:45 mail postfix/submission/smtpd[32229]: disconnect from out.example.com[xxx.xxx.xxx.xxx] ehlo=2 starttls=1 auth=0/2 commands=3/5

main.cf:

smtpd_banner = $myhostname ESMTP $mail_name
biff = no

append_dot_mydomain = no

readme_directory = no

smtpd_tls_cert_file=/etc/letsencrypt/live/myserver.tld/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/myserver.tld/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous

smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes

smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain
smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        defer_unauth_destination

myhostname = myserver.tld
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydomain = myserver.tld
myorigin = $mydomain
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_transport = lmtp:unix:private/dovecot-lmtp
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
smtpd_timeout = 30s
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtpd_recipient_limit = 40
minimal_backoff_time = 180s
maximal_backoff_time = 3h

invalid_hostname_reject_code = 550
non_fqdn_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
debug_peer_list = 81.95.108.131
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

master.cf

smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=cyrus
  -o smtpd_sasl_path=smtpd
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=permit_sasl_authenticated
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=cyrus
  -o smtpd_sasl_path=smtpd
  -o smtpd_client_restrictions=permit_sasl_authenticated
  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
#smtp       inet  n       -       -       -       -       smtpd
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
#qmgr     unix  n       -       n       300     1       oqmgr
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu
    user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn
    argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq.
    user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R
    user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
    ${user} ${extension}

mailman    unix  -       n       n       -       -       pipe flags=FR
    user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
    ${user}
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated
dovecot unix    -       n       n       -       -      pipe
    flags=DRh user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension}

mlmmj   unix  -       n       n       -       -       pipe
    flags=ORhu user=mlmmj:mlmmj argv=/usr/bin/mlmmj-amime-receive -L /var/vmail/mlmmj/${nexthop}

smtp-amavis unix -  -   n   -   9  smtp
    -o syslog_name=postfix/amavis
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n  -   n   -   -  smtpd
    -o syslog_name=postfix/10025
    -o content_filter=
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o strict_rfc821_envelopes=yes
    -o smtp_tls_security_level=none
    -o smtpd_tls_security_level=none
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_end_of_data_restrictions=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
127.0.0.1:10028 inet n  -   n   -   -  smtpd
    -o syslog_name=postfix/10028
    -o content_filter=
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o strict_rfc821_envelopes=yes
    -o smtp_tls_security_level=none
    -o smtpd_tls_security_level=none
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_end_of_data_restrictions=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
   -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Can I ask, whats wrongly configured? Postfix user is added to sasl group.
(there are some comments in configs deleted, 'cause of SuperUser Antispam)

Answer 1

You have a few problems with your configuration. Postfix has two parts, SMTP and SMTPD. Clients and other mail servers connect to SMTPD and the server sends mail out using SMTP. You have SMTPD SASL authentication set up, but not SMTP SASL authentication set up. To set up SMTP SASL authentication, you need two things. First, you need to enable it in main.cf:

smtp_sasl_auth_enable = yes

Most ISP's block outgoing traffic out of port 25 for spam prevention, so you might have to use an email relay. If you are using a mail relay, you need to create a file in /etc/postfix called sasl_password_maps.

touch /etc/postfix/sasl_password_maps

Fill /etc/postfix/sasl_password_maps in with the information about your relay.

[subdomain.emailrelay.com]:587      username:password

Then, you have to put these options in main.cf:

smtp_sasl_password_maps = hash:/etc/postfix/sasl_password_maps
relayhost = [subdomain.examplemailrelay.com]:587

Then run these commands:

postmap /etc/postfix/sasl_password_maps
systemctl restart postfix

As a bonus, these are some recommended SMTP options that I like to use for security. Put them in main.cf if you'd like:

smtp_tls_security_level = encrypt
smtp_sasl_security_options = noanonymous
smtp_tls_loglevel = 1
smtp_dns_support_level = dnssec
smtp_enforce_tls = yes
smtp_use_tls = yes

I hope this helps!