Introduction

Postfix SASL authentication failures with error code 535 5.7.8 typically occur when the SMTP client cannot authenticate against the configured SASL backend. This is common when setting up mail relay authentication or when Dovecot/Cyrus integration has configuration mismatches.

Symptoms

  • SMTP clients receive "535 5.7.8 Error: authentication failed" when sending mail
  • Mail clients (Thunderbird, Outlook) repeatedly prompt for password
  • /var/log/mail.log shows "warning: SASL authentication failure"
  • Postfix is configured to use Dovecot or Cyrus SASL
  • TLS connection established but auth fails

Common Causes

  • Dovecot auth socket permissions incorrect
  • SASL authentication mechanisms mismatch (PLAIN vs LOGIN)
  • Postfix smtpd_sasl_type not matching installed backend
  • Missing smtpd_sasl_auth_enable = yes
  • TLS required but client attempting plaintext auth
  • Wrong socket path in Postfix smtpd_sasl_path

Step-by-Step Fix

  1. 1.Check Postfix SASL configuration in /etc/postfix/main.cf:
  2. 2.`
  3. 3.smtpd_sasl_auth_enable = yes
  4. 4.smtpd_sasl_type = dovecot
  5. 5.smtpd_sasl_path = private/auth
  6. 6.smtpd_sasl_security_options = noanonymous
  7. 7.smtpd_sasl_local_domain = $myhostname
  8. 8.`
  9. 9.Verify Dovecot auth socket configuration in /etc/dovecot/conf.d/10-master.conf:
  10. 10.`
  11. 11.service auth {
  12. 12.unix_listener /var/spool/postfix/private/auth {
  13. 13.mode = 0666
  14. 14.user = postfix
  15. 15.group = postfix
  16. 16.}
  17. 17.}
  18. 18.`
  19. 19.Check socket file permissions:
  20. 20.```bash
  21. 21.ls -la /var/spool/postfix/private/auth
  22. 22.# Should show: srw-rw-rw- 1 postfix postfix
  23. 23.`
  24. 24.If permissions are wrong, fix them:
  25. 25.```bash
  26. 26.chown postfix:postfix /var/spool/postfix/private/auth
  27. 27.chmod 0666 /var/spool/postfix/private/auth
  28. 28.`
  29. 29.Enable PLAIN and LOGIN mechanisms in /etc/dovecot/conf.d/10-auth.conf:
  30. 30.`
  31. 31.auth_mechanisms = plain login
  32. 32.`
  33. 33.Restart both services:
  34. 34.```bash
  35. 35.systemctl restart dovecot
  36. 36.systemctl restart postfix
  37. 37.`
  38. 38.Test authentication manually:
  39. 39.```bash
  40. 40.# Encode username and password
  41. 41.echo -ne '\000user\000password' | base64
  42. 42.# Connect and test
  43. 43.openssl s_client -connect mail.example.com:587 -starttls smtp
  44. 44.ehlo test
  45. 45.auth plain <base64-encoded-string>
  46. 46.`
  47. 47.Check logs for specific errors:
  48. 48.```bash
  49. 49.tail -f /var/log/mail.log | grep -i sasl
  50. 50.`

Prevention

  • Use postfix check after configuration changes
  • Test authentication after every SASL-related update
  • Monitor /var/log/mail.log for authentication failures
  • Implement fail2ban to prevent brute force attacks
  • Use strong TLS settings and require encryption for auth