Applicable to:
- Plesk for Linux
Symptoms
-
Unable to send or receive emails in Postfix after updating to Plesk Obsidian 18.0.34 in Debian 9 OS, in some cases the Postfix service might be down
-
The attempt to connect with the mail client registers the following errors in the log file
/var/log/maillog:CONFIG_TEXT: postfix/smtpd[5810]: warning: SASL authentication failure: no secret in database
postfix/smtpd[5810]: warning: example.com[0.0.0.0]: SASL DIGEST-MD5 authentication failed: authentication failureCONFIG_TEXT: postfix/smtpd[4288]: Unable to open database(readonly) /plesk/passwd.db: unable to open database file
postfix/smtpd[4288]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Cause
Product issue:
-
#PPPM-12885 "The default chroot settings are no longer changed after updating Plesk to the latest version."
Fixed in:- Plesk Obsidian 20 July 2021 (Linux)
Resolution
Workaround
Until the bug is fixed consider applying the following workaround:
-
Connect to the server via SSH
-
Back up the Postfix configuration file
/etc/postfix/master.cf:# cp -a /etc/postfix/master.cf{,.backup}
-
Edit the Postfix configuration file
/etc/postfix/master.cf, enable the chroot to the smtp, smtps and submission processes configuration:From:
CONFIG_TEXT: smtp inet n - - - - smtpd
smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destinationTo:
CONFIG_TEXT: smtp inet n - y - - smtpd
smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes
submission inet n - y - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination -
Back up the Postfix SASL configuration file
/etc/postfix/sasl/smtpd.conf:# cp -a /etc/postfix/sasl/smtpd.conf{,.backup}
-
(Optional - in general cases, proceed with step 6) Edit the Postfix SASL configuration file
/etc/postfix/sasl/smtpd.conf, configure thesaslauthd_pathwith the relative chrooted path:From:
CONFIG_TEXT: pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /var/spool/postfix/private/plesk_saslauthd
mech_list: CRAM-MD5 PLAIN LOGIN
sql_engine: intentionally disabled
log_level: 4To:
CONFIG_TEXT: pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /private/plesk_saslauthd
mech_list: CRAM-MD5 PLAIN LOGIN
sql_engine: intentionally disabled
log_level: 4 -
Restart Postfix to apply the changes:
# systemctl restart postfix
Comments
7 comments
It doesn't work with /private/plesk_saslauthd because this entry is already in the smtpd.conf. When i change it to /var/spool/postfix/private/plesk_saslauthd it works.
Our Plesk auto updated an hour ago automatically and it completely broke Postfix.. so the fix to check for updates does not work! Ours said there were no updates available. I made the changes by RCapaul which fixed our problem.
Rcapaul @Mike
Plesk Obsidian 18.0.34 Update 2 released March, 25, contains the bugfix. In case the update did not fix the issue for you, please contact Plesk Technical support or the technical support team of the reseller you bought a license from.
Leonid Gukhman
It works only with ports 465 SSL and 25 without SSL but with 587 TLS it doesn't works. When i change in /etc/postfix/sasl/smtpd.conf to /var/spool/postfix/private/plesk_saslauthd it works!
18.0.34 Update 2 installed - issue still there. Any clients using STARTTLS on port 587 for smtp sending is getting an auth error still.. 465/SSL works fine:
Mar 31 09:25:30 psa1 postfix/smtpd[20453]: warning: unknown[xx.xx.xx.xx]: SASL DIGEST-MD5 authentication failed: authentication failure
Mar 31 09:25:30 psa1 postfix/smtpd[20453]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Mar 31 09:25:30 psa1 postfix/smtpd[20453]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: generic failure
I'm logging a support ticket now with Plesk. It also broke spamassassin as well.
Rcapaul, @Mike
The developers have confirmed that the submission service at port 587 is still affected - until the hotfix is released (no ETA, as of now), please leave the workaround applied. I have also edited the article; note that some of our customers needed to specify /private/plesk_saslauthd.
I was having the same issue. This article saved my life. Customers was going crazy for the last weeks. It took me so much time to find this article.
For me (having the latest update installed) it was enough to change the submission line in the
/etc/postfix/master.cf. For the other two lines there was no difference.Can somebody tell me why this problem occured? Or when it officially been fixed with the next update? And please any feedback on how this workaround impacts the next regular update.
Please sign in to leave a comment.