Introduction
When Postfix is configured to use Dovecot SASL for SMTP authentication, clients may receive 535 5.7.8 Error: authentication failed: authentication failure when trying to send mail. This happens when the SASL authentication socket between Postfix and Dovecot is misconfigured, the authentication credentials are incorrect, or the Dovecot auth service is not running properly.
Symptoms
- Mail client receives:
`- 535 5.7.8 Error: authentication failed: authentication failure
`- Postfix mail log shows:
`- postfix/smtpd[12345]: warning: unknown[192.168.1.100]: SASL LOGIN authentication failed: authentication failure
`- Dovecot log shows:
`- dovecot: auth: Error: auth client 0 disconnected with 1 pending requests
`- Or:
`- dovecot: auth-worker(12345): Error: sql(user@example.com,192.168.1.100): Password mismatch
`
Common Causes
- Dovecot auth socket not accessible by Postfix (wrong permissions or path)
- Postfix
smtpd_sasl_typemisconfigured - Password database (MySQL, PostgreSQL, PAM) not responding
- Dovecot auth service not running or crashed
- Client sending plaintext password over non-TLS connection
- User account locked or password expired in the authentication backend
Step-by-Step Fix
- 1.Verify Dovecot auth service is running:
- 2.```bash
- 3.systemctl status dovecot
- 4.systemctl status dovecot-auth
# Check Dovecot logs journalctl -u dovecot --since "1 hour ago" | tail -30 ```
- 1.Verify the SASL socket exists and has correct permissions:
- 2.```bash
- 3.ls -la /var/spool/postfix/private/auth
- 4.# Should show:
- 5.# srw-rw-rw- 1 postfix postfix 0 Apr 9 10:00 auth
# If the socket does not exist, Dovecot is not creating it ```
- 1.Check Dovecot SASL configuration (
/etc/dovecot/conf.d/10-master.conf): - 2.
` - 3.service auth {
- 4.# Postfix smtp-auth
- 5.unix_listener /var/spool/postfix/private/auth {
- 6.mode = 0666
- 7.user = postfix
- 8.group = postfix
- 9.}
# Auth process is run as this user user = dovecot } ```
- 1.Check Postfix SASL configuration (
/etc/postfix/main.cf): - 2.
` - 3.smtpd_sasl_type = dovecot
- 4.smtpd_sasl_path = private/auth
- 5.smtpd_sasl_auth_enable = yes
- 6.smtpd_sasl_security_options = noanonymous
- 7.smtpd_sasl_local_domain = $myhostname
- 8.broken_sasl_auth_clients = yes
- 9.
` - 10.Test authentication manually:
- 11.```bash
- 12.# Generate base64 encoded credentials
- 13.echo -ne '\0user@example.com\0YourPassword' | base64
- 14.# Output: AHVzZXJAZXhhbXBsZS5jb20AWW91clBhc3N3b3Jk
# Test SMTP AUTH telnet localhost 587 EHLO test.example.com # Server should respond with: 250-AUTH LOGIN PLAIN AUTH PLAIN AHVzZXJAZXhhbXBsZS5jb20AWW91clBhc3N3b3Jk # Should respond: 235 2.7.0 Authentication successful ```
- 1.Check the password database backend:
- 2.```bash
- 3.# For SQL-backed auth, test the query Dovecot uses
- 4.doveadm user user@example.com
- 5.# Should return user details
# Test password lookup doveadm auth test user@example.com 'YourPassword' # Should return: auth succeeded
# Check SQL connection in Dovecot doveadm auth login user@example.com ```
- 1.Enable verbose Dovecot auth logging:
- 2.
` - 3.# /etc/dovecot/conf.d/10-logging.conf
- 4.auth_debug = yes
- 5.auth_debug_passwords = yes
- 6.auth_verbose = yes
- 7.auth_verbose_passwords = plain
- 8.
` - 9.Then restart Dovecot and check logs:
- 10.```bash
- 11.systemctl restart dovecot
- 12.journalctl -u dovecot -f
- 13.
`
Prevention
- Use
doveadm auth testto verify authentication after any password change - Monitor Dovecot and Postfix logs for authentication failures
- Keep TLS enabled on port 587 (submission) to protect credentials
- Use
auth_mechanisms = plain loginin Dovecot for broad client compatibility - Regularly test the SASL socket with the manual telnet test
- Implement fail2ban to block repeated authentication failures:
- ```bash
- # /etc/fail2ban/jail.local
- [dovecot]
- enabled = true
- filter = dovecot
- action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps"]
- maxretry = 5
- bantime = 3600
`