#561807 postfix: sasl won't work in the sasl folder

Package:
postfix
Source:
postfix
Description:
High-performance mail transport agent
Submitter:
Anthony Campbell
Date:
2026-03-04 13:29:01 UTC
Severity:
normal
#561807#5
Date:
2009-12-20 13:00:04 UTC
From:
To:
README.Debian says that sasl stuff goes in /etc/postfix/sasl.
If I put it there it doesn't work; I have to put it in /etc/postfix.

#561807#10
Date:
2026-03-03 14:51:37 UTC
From:
To:
Dear Maintainer,

   * What led up to the situation?

After upgrading from bookworm to trixie postfix authentication started failing.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Upgrade postfix from bookworm to trixie

   * What was the outcome of this action?

sasl authentication with ldap backend was broken.

mail.log only showed connection was broken

2026-02-28T05:55:26.327940-08:00 comms-staging postfix/submission/smtpd[2086]:
connect from unknown[106.222.210.148]
2026-02-28T05:55:34.607009-08:00 comms-staging postfix/submission/smtpd[2086]:
NOQUEUE: lost connection after EHLO from unknown[106.222.210.148]
2026-02-28T05:55:34.607273-08:00 comms-staging postfix/submission/smtpd[2086]:
disconnect from unknown[106.222.210.148] ehlo=2 starttls=1 commands=3

and msmtp showed

$ msmtp -a praveen1@domain.tld  -t <smtp_test.txt
password for praveen at comms-staging.domain.tld:
msmtp: GNU SASL: Error authenticating user
msmtp: could not send mail (account praveen1@domain.tld from
/home/pravi/.msmtprc)

   * What outcome did you expect instead?

postfix should continue working with saslauthd.

Then I compared postconf output from a freshly installed postfix on another
system and found

It had cyrus_sasl_config_path = /etc/postfix/sasl

Adding this to main.cf fixed the issue. Since this breaks upgrades, this should
be documented in the NEWS file (until bookworm this was not required).

#561807#17
Date:
2026-03-03 18:47:45 UTC
From:
To:
Control: tag -1 + moreinfo unreproducible
Control: severity -1 normal

When upgrading from bookworm version to trixie version, the package
checks if cyrus_sasl_config_path is specified in the old config,
and if not, sets it to /etc/postfix/sasl.  This is the fragment from
the postinst script which does this:

if dpkg --compare-versions "$OLDVERSION" lt-nl 3.9.0-3~
then
     # cyrus_sasl_config used to be hard-coded in debian to
/etc/postfix/sasl.
     # Since 3.9.0-3 we switched to upstream default which is empty,
     # which means to use built-in Cyrus SASL library defaults.
     # Debian policy says it should be /etc/postfix/sasl
     if [ ! "$(postconf -hx cyrus_sasl_config_path)" ]; then
         postconf -e cyrus_sasl_config_path=/etc/postfix/sasl
     fi
fi


I verified upgrades from various different versions of postfix package,
and the upgrade definitely adds this configuration item.  A lot of users
with cyrus sasl upgraded their systems flawlessly.  Just yesterday I
upgraded another bookworm system to trixie, including postfix, and the
procedure added

  cyrus_sasl_config_path = /etc/postfix/sasl

to main.cf, even if I don't use cyrus or sasl in general.

So this should be something on your system which breaks this workaround.

Please find out what's different on your system.
Which was the version of postfix you're upgrading from?

There's definitely no reason to add news entries saying upgrade will
break your system if it doesn't happen for everyone else.

Also, it's a bad habit to hijack an old bug report which talks about
a version which were many debian releases ago - it's unlikely to be
the same issue.

Thanks,

/mjt

#561807#26
Date:
2026-03-03 18:56:56 UTC
From:
To:
I maintain main.cf as a template in ansible. So I need to make this
change manually to the configuration file. This would be the case for
people using configuration management tools like ansible.

After postfix was updated, I have applied the main.cf in my ansible
templates which removed this entry. I later found it out by comparing
the postconf output on a freshly installed system.

As I said, it will break anyone using a configuration management system
like ansible as they need to make this change in their template
configuration as well. So I think it deserves a mention in the NEWS file.

I have seen people recommending to check existing issues and comment on
them rather than opening new issues.

#561807#31
Date:
2026-03-03 19:37:41 UTC
From:
To:
On 03.03.2026 21:56, Pirate Praveen wrote:
...

Aha, this makes sense indeed - when you remove carefully added
configuration changes aimed to keep your system running, things
will break, unless you take care of them somehow.  Maybe paying
attention to `ansible-playbook -CD` output after upgrade is a
good idea too.

It's always a trade-off, - as I said, you're the only one who faced this
issue so far (it's been quite a number of upgrades since trixie is out).
For the rest of users, such NEWS entry would be a useless noise.
There's already quite some differences in postfix packaging in trixie
(removal of the postfix@- unit etc).  I wanted to keep it as compact as
possible.  Adding this change to NEWS didn't occur to me at all, though,
because it seemed like something which I solved by editing config.

Yeah. When it's the same issue.

But doesn't matter anymore.  That bug was not useful anyway, 17 years
after its been filed.

/mjt

#561807#38
Date:
2026-03-04 13:26:57 UTC
From:
To:
Usual practice with apt/dpkg is giving a manual prompt if maintainer
supplied config conflicts with user modified changes, letting the user
inspect changes manually. I'm not sure if other packages edit config
files through a postinst script.

I think editing config files in postinst is not a standard way users
expect to know about a config change, so I still think this would be
useful. But I'll let you make the call as the maintainer.

I'm not sure if any other change has an high impact like this.
I thought this was pretty close as it was talking about the sasl path
needing manual action, though why this was needed indeed changed.