FreePBX17 questions - email & LetsEncrypt

brk · September 4, 2024, 4:24am

First, for Let’sEncrypt, to get it to update the certificates I had to go into System Admin Pro and change the port for Admin away from port 80 and change LetsEncrypt from Disabled to Port 80. Is this expected?

Second (and more importantly in my case), I configured email to forward to Gmail via System Admin Pro. I’m getting the following error -

delivery temporarily suspended: SASL authentication
    failed; cannot authenticate to server smtp.gmail.com[142.251.16.109]: no
    mechanism available

I have not found a solution to this one. I’m guessing I’m missing a library? But if so, I don’t have any idea which one.

shane8johnson · September 4, 2024, 2:30pm

I googled your error message and found this blog post: http://www.medengineers.com/blog/?p=390

Looks like you need libsasl2-modules installed. YMMV.

SamShomi · September 4, 2024, 2:58pm

I had the same problem and can confirm this is what solved it for me. That package should probably be added to the install script.

brk · September 4, 2024, 3:04pm

I found similar messages. But it looks like I have it…

root@freepbx17:~# apt list | grep sasl2

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

cyrus-sasl2-doc/stable,stable 2.1.28+dfsg-10 all
libsasl2-2/stable,stable,now 2.1.28+dfsg-10 amd64 [installed,automatic]
libsasl2-dev/stable,stable 2.1.28+dfsg-10 amd64
libsasl2-modules-db/stable,stable,now 2.1.28+dfsg-10 amd64 [installed,automatic]
libsasl2-modules-gssapi-heimdal/stable,stable 2.1.28+dfsg-10 amd64
libsasl2-modules-gssapi-mit/stable,stable 2.1.28+dfsg-10 amd64
libsasl2-modules-kdexoauth2/stable,stable 22.12.3-1 amd64
libsasl2-modules-ldap/stable,stable 2.1.28+dfsg-10 amd64
libsasl2-modules-otp/stable,stable 2.1.28+dfsg-10 amd64
libsasl2-modules-sql/stable,stable 2.1.28+dfsg-10 amd64
libsasl2-modules/stable,stable 2.1.28+dfsg-10 amd64
sasl2-bin/stable,stable 2.1.28+dfsg-10 amd64

SamShomi · September 4, 2024, 3:34pm

What are you using for the Gmail password? You need to enable 2 factor authentication on your Gmail account and then create an app password at the following link.

https://myaccount.google.com/apppasswords

NOTE: This is a one-time use password. If you try test it from some other app or device first it won’t work again.

Do a systemctl reload postfix afterwards just to make sure the setting change is made.

brk · September 4, 2024, 3:53pm

I’m using a app specific password.

The odd thing is it is working fine on my old freepbx15 system. Which really means nothing as it’s a totally different base operating system. I must be missing something, but I’m just stumped at the moment.

I’ve also tried various debug flags.

starting new SASL client
name_mask: noanonymous
smtp_sasl_authenticate: smtp.gmail.com[142.251.2.109]:587: SASL mechanisms LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
warning: SASL authentication failure: No worthy mechs found

shane8johnson · September 4, 2024, 4:06pm

Your apt list | grep sasl2 shows that you have libsasl2-2/stable and libsasl2-modules-db installed, but you do not have libsasl2-modules installed.
Try installing libsasl2-modules/stable,stable 2.1.28+dfsg-10 amd64 and see if this fixes it.

dicko · September 4, 2024, 4:07pm

Food for thought

Less secure apps & your Google Account - Google Account Help.

brk · September 4, 2024, 4:09pm

Thanks @dicko . I also saw that and am looking for alternatives.

SamShomi · September 5, 2024, 1:55pm

brk:

I’m using a app specific password.

The odd thing is it is working fine on my old freepbx15 system. Which really means nothing as it’s a totally different base operating system. I must be missing something, but I’m just stumped at the moment.

I’ve also tried various debug flags.
starting new SASL client
name_mask: noanonymous
smtp_sasl_authenticate: smtp.gmail.com[142.251.2.109]:587: SASL mechanisms LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
warning: SASL authentication failure: No worthy mechs found

Are you using the same app specific password or did you create a new one for the new server? You must create a new one or it will not work.

Maybe check if the postfix config at /etc/postfix/main.cf is pointing at the correct file for the certificate. This is what it should be for self-signed on Debian 12. Not sure what it should be if using FreePBX + Cert Manager + LetsEncrypt.

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

If all else fails you can set it up manually on postfix instead of trying to rely on sysadmin pro. These are my install notes.

## ADD THE FOLLOWING TO THE BOTTOM OF /etc/postfix/main.cf
## CREATE THE FILE /etc/postfix/sasl_passwd and add:
## [smtp.gmail.com]:587 [email protected]:somepassword
## then run "postmap /etc/postfix/sasl_passwd" to create the sasl_passwd.db file

#Set the relayhost to the Gmail SMTP server
relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

brk · September 5, 2024, 5:01pm

@SamShomi I think you might be onto something. There is no certificate file.

smtp_tls_CAfile =

I’ll have to look into that more.

Thanks all for the pointers!

Edit to update - there are pem & key files.

root@freepbx17:/etc/postfix# grep tls main.cf
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtp_tls_CAfile =

brk · September 5, 2024, 5:58pm

Well crap -

apt-get install libsasl2-modules

fixed it. I was not understanding the apt list output.

Thanks to @shane8johnson and all others that helped. Still have to worry about this going away with google…

system · September 12, 2024, 5:59pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.