SMTP 503 5.5.1 Error: authentication not enabled

I am using a local postfix smtp and getting this error:

503 5.5.1 Error: authentication not enabled

DISCOURSE_SMTP_ADDRESS: mail.xxx.net
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: resources@xxx.net
DISCOURSE_SMTP_PASSWORD: password123?
DISCOURSE_SMTP_ENABLE_START_TLS: true # (optional, default true)
DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none
DISCOURSE_SMTP_AUTHENTICATION: “plain”

I added the last 2 options as a last resort but made no effect.

The smtp server works in all testing tools I used, like openssl or swaks from inside the docker container.

root@resources-app:/# swaks --to resources@xxx.net --server mail.xxx.net:587 -tls
=== Trying mail.xxx.net:587...
=== Connected to mail.xxx.net.
<-  220 mail.xxx.net ESMTP Postfix (Ubuntu)
 -> EHLO resources-app
<-  250-mail.xxx.net
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/CN=*.xxx.net"
 ~> EHLO resources-app
<~  250-mail.xxx.net
<~  250-PIPELINING
<~  250-SIZE 10240000
<~  250-VRFY
<~  250-ETRN
<~  250-ENHANCEDSTATUSCODES
<~  250-8BITMIME
<~  250-DSN
<~  250-SMTPUTF8
<~  250 CHUNKING
 ~> MAIL FROM:<root@resources-app>
<~  250 2.1.0 Ok
 ~> RCPT TO:<resources@xxx.net>
<~  250 2.1.5 Ok
 ~> DATA
<~  354 End data with <CR><LF>.<CR><LF>
 ~> Date: Tue, 03 Aug 2021 11:04:12 +0000
 ~> To: resources@xxx.net
 ~> From: root@resources-app
 ~> Subject: test Tue, 03 Aug 2021 11:04:12 +0000
 ~> Message-Id: <20210803110412.593268@resources-app>
 ~> X-Mailer: swaks v20181104.0 jetmore.org/john/code/swaks/
 ~>
 ~> This is a test mailing
 ~>
 ~>
 ~> .
<~  250 2.0.0 Ok: queued as 1C4ED8AA
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.

The error could mean that you don’t have smtp_sasl_auth_enable = yes in your postfix conf. what is the output of postconf -n does it contain the above string? if not, then please uncomment or edit /etc/postfix/main.cf and report back.

I do have
smtp_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous noplaintext
smtpd_tls_security_level = encrypt
smtpd_use_tls = yes

I think the above two options are contradictory. You should set the correct authentication method in discourse for this to work.

makes sense, I don’t use SASL so I set those options to make it more secure.
What methods are available?
Also why is SASL mandatory? I had it disabled before and SMTP worked in all other applications like nextcloud and thunderbird

SASL is only needed to send email to remote servers, but this server only works locally

Thanks

My understanding may be flawed here but I think sasl is needed because the docker container is logically separate from the host which has postfix running on it.

I’d say maybe try lowering the hardening of postfix and see what works best for you?

This file should give you some idea about how those settings

discourse/config/discourse_defaults.conf at main · discourse/discourse · GitHub

That defaults file doesn’t have all the possible values, was wondering if there is a more secure option. Will look at the code/libs later

removing the security options still doesn’t fix it.
do I need to run launcher app rebuild before running discourse-doctor again?

thanks

Notice the d

Discourse should only really need the parameters starting with smtp and not smtpd

I only have
smtp_sasl_auth_enable = yes

no other restrictions…