This means one or more of the following:

- The Dovecot authentication server does not listen on the socket
at /var/spool/postfix/private/auth.

- You have "security" software such as SeLinux, AppArmor, Systrace
and the like that don't allow Postfix to talk to this socket.

But all that is irrelevant because as documented Dovecot authentication
is available only for RECEIVING email, and your problem is with
Wietse

ok :( then I am at fault in understanding. The outgoing process must then be
fully contained within postfix and the sasl2-bin. (still?) The above message
is the ISP saying "you didn't authenticate". Is smtpd then part of postfix or
a package I have failed to get still?

Thanks again.
-Walt

The remote SMTP server rejects mail from your Postfix SMTP client.

To configure SASL authentication in your Postfix SMTP client, see
http://www.postfix.org/SASL_README.html#client_sasl (Configuring
SASL authentication in the Postfix SMTP/LMTP client).

Wietse

On Fri, Mar 25, 2011 at 10:55 AM, Walt Shekrota
sasl2-bin is the cyrus implementation of SASL, but doesn't matter,
it's works with dovecot and postfix. To enable smtp slient
autentication: http://www.postfix.org/SOHO_README.html#client_sasl_enable

Ok yes that is the doc I used to create the password map file and install.
What confuses me about your previous statement
"dovecot for incoming auth"
is this config line
smtpd_sasl_path = private/dovecot-auth

Why does smtpd refer to dovecot then?

I think I had this working and must have tweaked a line soimewhere breaking
the process. Now the logged messages give me no clue :)

Thanks.
-Walt

Good. Have you now solved this problem with SENDING EMAIL?
If that problem isn't solved, then there is no point discussing
Dovecot configuration. Dovecot auth is used only for RECEIVING EMAIL.

Wietse

perl -MMIME::Base64 -e 'print
encode_base64("wshekrotta\@frontier.com\0wshekrotta\@frontier.com\0xxxxxxxx")';
(string returned)

When I telnet 'auth plain' I get ..

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ubu.bla.org ESMTP Postfix (Ubuntu)
ehlo localhost
250-ubu.doink.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth plain
d3NoZWtyb3RhQGZyb250aWVyLmNvbQB3c2hla3JvdGFAZnJvbnRpZXIuY29tAGpvZWNvb2wx
535 5.7.8 Error: authentication failed:

It seems to me that I did have this working at one point.


main.cf
.
.
.
.
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = hash:/etc/postfix/sasl_password
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_auth_enable = yes


sasl_password
smtp.frontier.com ***@frontier.com:xxxxxxxxx

Is there any way to perform a verbose tracing of the actual sasl process,
maybe there is a clue there?

Thanks.
-Walt

You are wasting everyone's time including mine with talking to your
LOCAL Postfix server.

You must first fix the problem with SENDING MAIL to the REMOTE SERVER.
The REMOTE SERVER is not on localhost port 25.

Wietse

ok point taken... the server in that doc is the remote isp then obviously I
picked up a bad idea in some doc. So when I telnet auth with the remote its
fine.
235 2.7.0 Authentication successful

I'm grasping here trying to find ways to check what is configured. This still
does not explain why the remote says I do not id myself.
The sasl_password file has the right info and the postmap was done.
working blindly configuring without ways to debug or validate could take
forever.

suggestions?
Thanks.
-Walt

On Fri, Mar 25, 2011 at 12:12 PM, Walt Shekrota
1. The authentication really happened when postfix/smtp tried deliver?

2. The sender (MAIL FROM) is equals to authentication user (AUTH)?

smtp.frontier.com != 199.224.64.207

As documented, they MUST be equal

I used telnet to verify that I truely have THE RIGHT ID AND PW
Now I look in the /etc/postfix/sasl_password I created and see it the same so
I am at a loss undestanding why the remote responds that I must identify
myself when I send a test email. Other than some subtle setting keeping it
from happening.
if I understand you, no this is not true. These ids have an obvious
difference.

Thanks.
-Walt

yes I read that last night and fixed it. Something I alternatively read
suggested an IP address be used. That is the problem with the internet you
have to avoid reading too many other folks posts they are not always useful.
They are now exactly the same 'smtp.frontier.com'

Should there be a port on that? I think this may be the beef of the problem.
Some ISPs are forcing certain security policy.
Before postfix I was using (per client) ssmtp and had specified
'smtp.frontier.com 465' in its simple config file, then authed the same
user/password. So should I use the same here and enable SSL/TLS being I know
this was working for me?

Thanks.
-Walt

Instead of scraping random blogs, why not go to the auhtoritative
source:

http://www.postfix.org/SASL_README.html#client_sasl_enable

Enabling SASL authentication in the Postfix SMTP/LMTP client

This section shows a typical scenario where the Postfix SMTP client sends all messages via a mail gateway server that requires SASL authentication.

Trouble solving tips:

* If your SASL logins fail with "SASL authentication failure:
No worthy mechs found" in the mail logfile, then see the
section "Postfix SMTP/LMTP client policy - SASL mechanism
properties".
* For a solution to a more obscure class of SASL authentication
failures, see "Postfix SMTP/LMTP client policy - SASL
mechanism names".

To make the example more readable we introduce it in two parts.
The first part takes care of the basic configuration, while the
second part sets up the username/password information.

/etc/postfix/main.cf:
smtp_sasl_auth_enable = yes
relayhost = [mail.isp.example]
# Alternative form:
# relayhost = [mail.isp.example]:submission
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

* The smtp_sasl_auth_enable setting enables client-side
authentication. We will configure the client's username and
password information in the second part of the example.
* The relayhost setting forces the Postfix SMTP to send all
remote messages to the specified mail server instead of trying
to deliver them directly to their destination.
* In the relayhost setting, the "[" and "]" prevent the Postfix
SMTP client from looking up MX (mail exchanger) records for
the enclosed name.
* The relayhost destination may also specify a non-default TCP
port. For example, the alternative form [mail.isp.example]:submission
tells Postfix to connect to TCP network port 587, which is
reserved for email client applications.
* The Postfix SMTP client is compatible with SMTP servers that
use the non-standard "AUTH=method...." syntax in response to
the EHLO command; this requires no additional Postfix client
configuration.
* The Postfix SMTP client does not support the obsolete
"wrappermode" protocol, which uses TCP port 465 on the SMTP
server. See TLS_README for a solution that uses the stunnel
command.
* With the smtp_sasl_password_maps parameter, we configure the
Postfix SMTP client to send username and password information
to the mail gateway server. As discussed in the next section,
the Postfix SMTP client supports multiple ISP accounts. For
this reason the username and password are stored in a table
that contains one username/password combination for each mail
gateway server.

/etc/postfix/sasl_passwd:
# destination credentials
[mail.isp.example] username:password
# Alternative form:
# [mail.isp.example]:submission username:password

Important

Keep the SASL client password file in /etc/postfix, and make
the file read+write only for root to protect the username/password
combinations against other users. The Postfix SMTP client will
still be able to read the SASL client passwords. It opens the
file as user root before it drops privileges, and before entering
an optional chroot jail.

* Use the postmap command whenever you change the
/etc/postfix/sasl_passwd file.
* If you specify the "[" and "]" in the relayhost destination,
then you must use the same form in the smtp_sasl_password_maps
file.
* If you specify a non-default TCP Port (such as ":submission"
or ":587") in the relayhost destination, then you must use
the same form in the smtp_sasl_password_maps file.

Indeed. And in your particular case, the problem is made worse by the
fact that you don't seem to grasp the basics of how MTAs work. Most
MTAs are both server (in Postfix, smtpd(8)) and client (in Postfix,
smtp(8)). So when you read "information" from others who are in a
similar predicament, your confusion increases.

Maybe we can help ... here's a try, anyway.
1. Why did you switch from ssmtp? It's possible, even likely, that
your needs would be better served by a null SMTP client, rather
than a MTA such as Postfix.

2. smtp.frontier.com has submission servers on ports 25, 465 (smtps),
and 587. Ports 25 and 587 do not appear to support STARTTLS, so if
you desire encryption, your only choice is the deprecated smtps
subprotocol. Postfix does not implement smtps as a client, only as
a server. There is a workaround using stunnel:
http://www.postfix.org/TLS_README.html#client_smtps

BTW, I did not try to decode your AUTH string shown upthread, but if
that was the actual string you used at smtp.frontier.com, you must
change your password now. AUTH PLAIN has no security; it merely
obscures the username and password.

Regarding the need for TLS encryption, I tested from both inside and
outside Frontier. From outside Frontier, you definitely would want
encryption. From inside, such as if you're setting up a SOHO server
which is on Frontier's network, it probably does not matter, since
most likely only Frontier could sniff your traffic, and they are not
going to do anything "bad" with your mail user credentials.

If you really have a need or desire to run your own MTA, I suggest
these fine links as a starting point:
http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/SOHO_README.html

If you just want email to work with your Frontier address, I would
suggest staying with a MUA (kmail is very good), or a null SMTP
client like ssmtp.

Like you said this enables you to use a single client to access your mail. If
you have a tendency to migrate to new systems and hardware abstactly it
becomes annoying. Like leaving your mail on the pop server so you can read at
another location etc. The benefits of using an MTA that will work with imap
and offload your mail from a remote popserver are tremendous. Understanding
the archetecture is a steep slope. This is why I wanted a simple
implimentation working first
if you use 465 there will be a message in the log telling you to use 587.
I think the only thing frontier is enforcing is sasl so I guess 25 should work
and be the simplest. At any rate this will send me back to that rather long
message from my ISP stating I'm not identifying myself. From my own server
experience when in this predicament I up the verbosity of whatever app and try
to provoke more information.
yeah stupid .... something I would not have done if I was not swimming in the
rapids :)

Trust me I've been through a lot of your documents and some several times.
What does come to mind going through these is ...

1. Somehow I have to convey that I'm coming from a non existant domain (mine)
and the remote side doesn't need to see that name. (or is this hidden by
postfix configured properly) In the case of the null smtp client there is a
way to set that FROM info. Not sure what to do here. I'm only a server in the
respect that I use fetchmail not that I have a real IP address.

2. Another possibility as outlining in the sasl client doc above is there may
be some missing library(s). It states that in these cases it would come up
with the NO MECHS message. Although I wouldn't know where to start finding
what is missing? I assume its the client spitting out the NO MECHS message? I
can't tell from the logs.

My system was build from a 10.10 ubuntu install using apt-get for the
remainder packages.

Thanks.
-Walt

If you're having trouble reading the logs, it's possible
someone here might know what to make of those messages.

If you need help, please see:
http://www.postfix.org/DEBUG_README.html#mail

In particular, show us "postconf -n" output, unmodified log
entries demonstrating the problem, and contents of relevant files.

DO NOT send debug or verbose logging unless specifically
requested.

Since most of your questions seem to involve client SASL,
consider including the output of "saslfinger -c". Saslfinger
is not part of postfix, it can be found here
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/

These are simple instructions to turn on SASL authentication.
Nothing more, nothing less. If the instructions don't work, then
show what you did ("postconf -n" command output) and show the result
(non-debug Postfix logging for an entire mail delivery attempt).
Well, I can lead the horse to the water, but I guess I can't prevent
it from galloping off into the desert and dying from thirst while
chasing down mirages.

If you can't follow simple instructions, then this thread is over.

Wietse

I apologise I'm a little lost with this output from your saslfinger tool.
Notice the end of the saslfinger it says my ISP has no mechanisms?
also it says :465 yet the main.cf and password file say :25.

Thanks.
-Walt


<postconf -n>

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
mydestination = $myhostname, localhost
myhostname = ubu.doink.org
mynetworks = 172.16.0.0/16, 127.0.0.0/8
myorigin = /etc/mailname
readme_directory = no
relayhost = smtp.frontier.com:25
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options = noanonymous
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
permit_sasl_authenticated
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/sasl_password


<log excerpt - interval of a single email>
Mar 25 16:55:39 ubu postfix/pickup[559]: 3485281365: uid=1000 from=<wshek>
Mar 25 16:55:39 ubu postfix/cleanup[865]: 3485281365: message-
id=<***@directnic.com>
Mar 25 16:55:39 ubu postfix/qmgr[560]: 3485281365: from=<***@ubu.doink.org>,
size=505, nrcpt=1 (queue active)
Mar 25 16:55:39 ubu postfix/smtp[869]: 3485281365:
to=<***@gmail.com>, relay=smtp.frontier.com[199.224.64.207]:25,
delay=0.81, delays=0.21/0.03/0.4/0.16, dsn=5.7.1, status=bounced (host
smtp.frontier.com[199.224.64.207] said: 554 5.7.1 Error: The message could not
be sent because your e-mail program needs to identify itself to the sending
mail server. Please see http://support.frontiernet.net/smtp for instructions
on how to correct this setting in your e-mail program.
(pool-96-233-230-70.rlghnc.dsl-w.verizon.net[96.233.230.70] to <Client host>)
(in reply to RCPT TO command))
Mar 25 16:55:39 ubu postfix/cleanup[865]: F0E4382D8D: message-
id=<***@ubu.doink.org>
Mar 25 16:55:40 ubu postfix/bounce[870]: 3485281365: sender non-delivery
notification: F0E4382D8D
Mar 25 16:55:40 ubu postfix/qmgr[560]: F0E4382D8D: from=<>, size=2970, nrcpt=1
(queue active)
Mar 25 16:55:40 ubu postfix/qmgr[560]: 3485281365: removed
Mar 25 16:55:40 ubu postfix/local[871]: F0E4382D8D: to=<***@ubu.doink.org>,
relay=local, delay=0.21, delays=0.11/0.03/0/0.08, dsn=2.0.0, status=sent
(delivered to mailbox)
Mar 25 16:55:40 ubu postfix/qmgr[560]: F0E4382D8D: removed


</etc/postfix/sasl_password>
smtp.frontier.com:25 ***@frontier.com:mypassword


<saslfinger -c>
saslfinger - postfix Cyrus sasl configuration Fri Mar 25 17:01:14 EDT 2011
version: 1.0.4
mode: client-side SMTP AUTH

-- basics --
Postfix: 2.7.1
System: Ubuntu 10.10 \n \l

-- smtp is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00be1000)

-- active SMTP AUTH and TLS parameters for smtp --
relayhost = smtp.frontier.com:25
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options = noanonymous


-- listing of /usr/lib/sasl2 --
total 784
drwxr-xr-x 2 root root 4096 2010-12-22 18:55 .
drwxr-xr-x 136 root root 36864 2011-03-23 19:35 ..
-rw-r--r-- 1 root root 15924 2010-07-09 07:42 libanonymous.a
-rw-r--r-- 1 root root 990 2010-07-09 07:42 libanonymous.la
-rw-r--r-- 1 root root 13668 2010-07-09 07:42 libanonymous.so
-rw-r--r-- 1 root root 13668 2010-07-09 07:42 libanonymous.so.2
-rw-r--r-- 1 root root 13668 2010-07-09 07:42 libanonymous.so.2.0.23
-rw-r--r-- 1 root root 18950 2010-07-09 07:42 libcrammd5.a
-rw-r--r-- 1 root root 976 2010-07-09 07:42 libcrammd5.la
-rw-r--r-- 1 root root 17764 2010-07-09 07:42 libcrammd5.so
-rw-r--r-- 1 root root 17764 2010-07-09 07:42 libcrammd5.so.2
-rw-r--r-- 1 root root 17764 2010-07-09 07:42 libcrammd5.so.2.0.23
-rw-r--r-- 1 root root 54458 2010-07-09 07:42 libdigestmd5.a
-rw-r--r-- 1 root root 999 2010-07-09 07:42 libdigestmd5.la
-rw-r--r-- 1 root root 46712 2010-07-09 07:42 libdigestmd5.so
-rw-r--r-- 1 root root 46712 2010-07-09 07:42 libdigestmd5.so.2
-rw-r--r-- 1 root root 46712 2010-07-09 07:42 libdigestmd5.so.2.0.23
-rw-r--r-- 1 root root 16110 2010-07-09 07:42 liblogin.a
-rw-r--r-- 1 root root 970 2010-07-09 07:42 liblogin.la
-rw-r--r-- 1 root root 13664 2010-07-09 07:42 liblogin.so
-rw-r--r-- 1 root root 13664 2010-07-09 07:42 liblogin.so.2
-rw-r--r-- 1 root root 13664 2010-07-09 07:42 liblogin.so.2.0.23
-rw-r--r-- 1 root root 34908 2010-07-09 07:42 libntlm.a
-rw-r--r-- 1 root root 964 2010-07-09 07:42 libntlm.la
-rw-r--r-- 1 root root 30048 2010-07-09 07:42 libntlm.so
-rw-r--r-- 1 root root 30048 2010-07-09 07:42 libntlm.so.2
-rw-r--r-- 1 root root 30048 2010-07-09 07:42 libntlm.so.2.0.23
-rw-r--r-- 1 root root 16250 2010-07-09 07:42 libplain.a
-rw-r--r-- 1 root root 970 2010-07-09 07:42 libplain.la
-rw-r--r-- 1 root root 17760 2010-07-09 07:42 libplain.so
-rw-r--r-- 1 root root 17760 2010-07-09 07:42 libplain.so.2
-rw-r--r-- 1 root root 17760 2010-07-09 07:42 libplain.so.2.0.23
-rw-r--r-- 1 root root 24100 2010-07-09 07:42 libsasldb.a
-rw-r--r-- 1 root root 1001 2010-07-09 07:42 libsasldb.la
-rw-r--r-- 1 root root 21736 2010-07-09 07:42 libsasldb.so
-rw-r--r-- 1 root root 21736 2010-07-09 07:42 libsasldb.so.2
-rw-r--r-- 1 root root 21736 2010-07-09 07:42 libsasldb.so.2.0.23

-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 2011-03-24 22:58 .
drwxr-xr-x 3 root root 4096 2011-03-25 17:00 ..
-rw-r--r-- 1 root root 48 2011-03-22 22:54 smtpd.conf


-- permissions for /etc/postfix/sasl_password --
-rw------- 1 root root 58 2011-03-25 16:37 /etc/postfix/sasl_password

-- permissions for /etc/postfix/sasl_password.db --
-rw------- 1 root root 12288 2011-03-25 16:53 /etc/postfix/sasl_password.db

/etc/postfix/sasl_password.db is up to date.

-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd -v
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}

-- mechanisms on smtp.frontier.com:465 --


-- end of saslfinger output --

On Fri, Mar 25, 2011 at 6:27 PM, Walt Shekrota
[..]
. The sender (MAIL FROM) is equals to authentication user (AUTH)?
No: ***@frontier.com != ***@ubu.doink.org

I think I see what you mean just not sure of the solution.
The email WAS sent from THAT id ***@ubu.doink.org. With the null SMTP I
could tell it otherwise. Is there a way to say mail from anywhere on my local
domain comes from ***@frontier.com?
Thanks
-Walt

i think the problem is not your from-address, i am not sure you
are using the right username/password on the relay.host which
can be totally independent from any mail-address

Everything is working here (Dovecot) except for the outgoing (postfix smtp)
and I have a feeling it is my lack of understanding for postfix arch that is
keeping me from getting there. I figure what Reinaldo is telling me is the
clue.
Does this mean I can only send from an id == ***@frontier.com?
do I have to change lines in main.cf to phoney that id and host?
I apologise I don't have a broad knowledge of mail systems.
Thanks.
-Walt

Some providers do require that you use their email address as sender.

There is one way to find out if that is the case here, and that is
connecting to the ISP and doing an SMTP session by hand:

telnet provider 25
ehlo your.machine.name
auth plain ..secrets..
mail from:<sender address>
rcpt to:<recipient address>

If it accepts RCPT TO after you give the ISP's sender address, but
complains about RCPT TO with the sender address you want to use,
then that is the problem.

Wietse

Hi Wietse,

I tried the telnet test with a non frontier emailid and it just said ok so
that can't be the problem.
What returns from a normal send is 554 5.7.1 Error: (I think this is just a
catch all that says I do not identify myself)

-Walt

You need to send me (OFF-LIST) a recording of the SMTP session.

1) Execute "postconf -e debug_peer_list=name.of.isp.mailhost"

2) Execute "postfix reload"

3) Send an email

4) Send the logfile records for the SMTP session in OFF-LIST email
as an attachment (so that it isn't destroyed by word-wrapping).

Wietse

I'm including the logging, since it contains no sensitive data (after
replacing the username).

Mar 27 18:25:26 ubu postfix/postfix-script[12623]: refreshing the Postfix mail system
Mar 27 18:25:26 ubu postfix/master[11808]: reload -- version 2.7.1, configuration /etc/postfix
Mar 27 18:25:54 ubu postfix/pickup[12628]: 3D99C810EE: uid=1000 from=<XXXXX>
Mar 27 18:25:54 ubu postfix/cleanup[12637]: 3D99C810EE: message-id=<***@ubu.doink.org>
Mar 27 18:25:54 ubu postfix/qmgr[12627]: 3D99C810EE: from=<***@frontier.com>, size=359, nrcpt=1 (queue active)
Mar 27 18:25:54 ubu postfix/smtp[12639]: < smtp.frontier.com[199.224.64.207]:25: 220 relay03.dlls.pa.frontiernet.net ESMTP Postfix
Mar 27 18:25:54 ubu postfix/smtp[12639]: > smtp.frontier.com[199.224.64.207]:25: EHLO ubu.doink.org
Mar 27 18:25:54 ubu postfix/smtp[12639]: < smtp.frontier.com[199.224.64.207]:25: 250-relay03.dlls.pa.frontiernet.net
Mar 27 18:25:54 ubu postfix/smtp[12639]: < smtp.frontier.com[199.224.64.207]:25: 250-PIPELINING
Mar 27 18:25:54 ubu postfix/smtp[12639]: < smtp.frontier.com[199.224.64.207]:25: 250-SIZE 26214400
Mar 27 18:25:54 ubu postfix/smtp[12639]: < smtp.frontier.com[199.224.64.207]:25: 250-ETRN
Mar 27 18:25:54 ubu postfix/smtp[12639]: < smtp.frontier.com[199.224.64.207]:25: 250-AUTH LOGIN PLAIN
Mar 27 18:25:54 ubu postfix/smtp[12639]: < smtp.frontier.com[199.224.64.207]:25: 250-AUTH=LOGIN PLAIN
Mar 27 18:25:54 ubu postfix/smtp[12639]: < smtp.frontier.com[199.224.64.207]:25: 250-ENHANCEDSTATUSCODES
Mar 27 18:25:54 ubu postfix/smtp[12639]: < smtp.frontier.com[199.224.64.207]:25: 250-8BITMIME
Mar 27 18:25:54 ubu postfix/smtp[12639]: < smtp.frontier.com[199.224.64.207]:25: 250 DSN
Mar 27 18:25:54 ubu postfix/smtp[12639]: server features: 0x900f size 26214400
Mar 27 18:25:54 ubu postfix/smtp[12639]: Using ESMTP PIPELINING, TCP send buffer size is 4096
Mar 27 18:25:54 ubu postfix/smtp[12639]: > smtp.frontier.com[199.224.64.207]:25: MAIL FROM:<***@frontier.com> SIZE=359

As you can see, the Postfix SMTP client does not send SASL authentication.

The logging also shows that the Postfix SMTP client does not search
the SASL password file for the name of the destination host, since
that would result in one or more logfile records with:

smtp[xxx]: maps_find: smtp_sasl_passwd: destinationhost = username:password
smtp[xxx]: maps_find: smtp_sasl_passwd: destinationhost: not found
smtp[xxx]: maps_find: smtp_sasl_passwd: destinationhost: search aborted

I conclude that your syslog service logs all the warnings to a different
file than normal logging, and therefore you don't see the warning
message with "warning: TLS has been selected, but TLS support is
not compiled in".

Wietse

Right you are. Sorry I had enabled tls as if I had it and did not know it
wasn't included. That turned off and a slight cleanup/review of the SASL doc
from your site and it produced authenticated in the log.

Wietse I am sorry for all the confusion. I needed to stick to the simple
approach I tried to start with. Changes midstream always muddy the water
worse.
I appreciate your patience. Thanks for the extended logging info.

-Walt

Closed thread I had TLS enabled and SASL was not being called for.
Moral of the story .... KISS Keep it Simple
And maybe, ONLY read official documents, but that is good advice for anything.

Thanks for those who tried to help.
-Walt

dovecot's sasl implementation doesn't support CLIENT side SASL auth,
only server side.

If you need client side SASL AUTH capability, use Cyrus-SASL...

to specify exactly:

"smtpd_sasl_type": smtpd = receive mails, smtp = send mails
it is enough to install the following packages as example for fedora
and configure for which hosts which username/password has to be used
and postfix will do this, you do not need smptd_sasl for this

cyrus-sasl-plain-2.1.23-11.fc13.x86_64
cyrus-sasl-2.1.23-11.fc13.x86_64
cyrus-sasl-md5-2.1.23-11.fc13.x86_64
cyrus-sasl-ntlm-2.1.23-11.fc13.x86_64
cyrus-sasl-lib-2.1.23-11.fc13.x86_64

Below a configuration of an internal-relay-hosts which DOES NOT accept
SASL-Authentications (only connections from few ip's) and manage over
what hosts some messages has to be relayed and what auth the realyhost
need to send messages authenticated for domains with SPF for
which we provide services too and will not connect directly to the rcpt
________________________

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_relayhost_auth
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relayhost

[***@thx1138:~]$ cat /etc/postfix/smtp_relayhost_auth
# After changes: "postmap /etc/postfix/smtp_relayhost_auth"
***@domain.tld username:password

[***@thx1138:~]$ cat /etc/postfix/sender_relayhost
# After changes: "postmap /etc/postfix/sender_relayhost"
***@domain.tld [relayhost.domain.tld]

The NetBSD (current) Postfix now has an alternative (not Cyrus)
client-side SASL implementation: "saslc".

$ uname -sr
NetBSD 5.99.48
$ /usr/sbin/postconf -a
dovecot
$ /usr/sbin/postconf -A
saslc

$ ldd /usr/libexec/postfix/smtp
/usr/libexec/postfix/smtp:
-lssl.8 => /usr/lib/libssl.so.8
-lcrypto.6 => /usr/lib/libcrypto.so.6
-lcrypt.1 => /lib/libcrypt.so.1
-lc.12 => /usr/lib/libc.so.12
-lsaslc.0 => /usr/lib/libsaslc.so.0
-lgssapi.9 => /usr/lib/libgssapi.so.9
-lkrb5.24 => /usr/lib/libkrb5.so.24
-lhx509.4 => /usr/lib/libhx509.so.4
-lasn1.8 => /usr/lib/libasn1.so.8
-lcom_err.6 => /usr/lib/libcom_err.so.6
-lroken.14 => /usr/lib/libroken.so.14
-lutil.7 => /usr/lib/libutil.so.7
-lheimntlm.3 => /usr/lib/libheimntlm.so.3
-lldap.4 => /usr/lib/libldap.so.4
-llber.3 => /usr/lib/liblber.so.3

Interesting - I never even noticed you can specify a different type for
each, so I thought the one setting was for both... guess I should have
checked postconf -d output before posting...

But at least now I do know - thanks for pointing that out...

no problem :-)

even after running a well designed mailsystem since 2009 where i thought
"this is perfect and can all do we ever want and need" i have learned
so many things the last few months, email is really a big terrain