I am upgrading a postfix email server from Debian Bullseye to Trixie. The server is using saslauthd which is using the /etc/shadow file for authentication.
The issue: a Ruby on Rails application that used to authenticate correctly using the ActionMailer library and plain authentication, fails to authenticate with the following log output in /var/log/mail.log:
2025-09-15T18:21:40.114455+00:00 ip-10-30-73-92 postfix/master[29793]: daemon started -- version 3.10.4, configuration /etc/postfix
2025-09-15T18:21:50.481732+00:00 ip-10-30-73-92 postfix/submission/smtpd[29800]: connect from ip-10-30-69-201.ec2.internal[10.30.69.201]
2025-09-15T18:21:50.497428+00:00 ip-10-30-73-92 postfix/submission/smtpd[29800]: warning: SASL authentication failure: Password verification
failed
2025-09-15T18:21:50.497618+00:00 ip-10-30-73-92 postfix/submission/smtpd[29800]: warning: ip-10-30-69-201.ec2.internal[10.30.69.201]: SASL PLAIN authentication failed: authentication failure, sasl_username=noreply
2025-09-15T18:21:50.498644+00:00 ip-10-30-73-92 postfix/submission/smtpd[29800]: NOQUEUE: lost connection after AUTH from ip-10-30-69-201.ec
2.internal[10.30.69.201]
2025-09-15T18:21:50.498745+00:00 ip-10-30-73-92 postfix/submission/smtpd[29800]: disconnect from ip-10-30-69-201.ec2.internal[10.30.69.201]
ehlo=2 starttls=1 auth=0/1 commands=3/4
Things I have done to aid the transition and eliminate other potential issues:
1.) I have performed what you see in the following answers in regards to ensuring saslauthd has a correct PID location as well as an updated /var/run location within the postfix chroot: Saslauthd service not starting after upgrade to Ubuntu 24.04
2.) Run sudo testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u noreply -p '[PASSWORD]' and received 0: OK "Success." Changing this to a slightly different password correctly results in failure.
3.) Removed @ symbols from the password (where there were some), whereas it seems like @ in usernames can cause problems in saslauthd requiring a more elaborate configuration I wished to avoid: https://forum.virtualmin.com/t/sasl-authentication-fails-for-usernames-with-an/116527
This did not make a difference in postfix and testsaslauthd succeeded with the new passwords.
Is there anything I'm missing? My attempts with mailx and openssl s_connect have failed to authenticate as well, when pasting in the output of $( echo -n "noreply:[PASSWORD]" | base64) to the AUTH PLAIN prompt. Does the username/password need to be null-terminated instead?
Thanks in advance.
EDIT:
I've dug further and now saslauthd and postfix are talking. The issue seems to be a successful auth using testsaslauthd is using service smtpd whereas the unsuccessful authentication from the application somehow is using service stmp.
Good:
saslauthd[14762] :auth success: [user=noreply] [service=smtpd] [realm=] [mech=pam]
saslauthd[14762] :response: OK
BAD
saslauthd[14763] :[login=noreply] [service=smtp] [realm=]: not found, update pending
saslauthd[14763] :attempting to release lock on slot: 718
saslauthd[14763] :auth failure: [user=noreply] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
What do I need to check to make this right?
debug_peer_list = 10.30.69.201anddebug_peer_level = 3inmain.cf.echo -n "noreply:[PASSWORD]" | base 64but when decoded was simplynoreply[PASSWORD]on the CLI usingbase64 --decode. However, that may be a side effect of them being null-terminated and those null terminated characters not making it to stdout. No smoking gun as far as I can tell.saslauthd -a pam -d -r -c -m /var/spool/postfix/var/run/saslauthd, I can not get authentication logging to show up around the time postfix reports its failure. I can withtestsaslauthd. I am beginning to suspect the postfix chroot can't talk tosaslauthdin its current configuration.smtpwhereas requests that succeed are using servicesmtpd, repeated above. What do I need to check/change here?