Bug 58791 - Mail clients cannot be configured - Secure SMTP endpoint unreachable due to saslauthd failure
Summary: Mail clients cannot be configured - Secure SMTP endpoint unreachable due to s...
Status: NEW
Alias: None
Product: UCS
Classification: Unclassified
Component: LDAP
Version: UCS 5.2
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: UCS maintainers
QA Contact: UCS maintainers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-11-11 09:54 CET by Mirac Erdemiroglu
Modified: 2025-11-12 16:14 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2025110721000131
Bug group (optional): Regression
Customer ID: 44145
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mirac Erdemiroglu univentionstaff 2025-11-11 09:54:09 CET 
1. Title
   Secure SMTP (securesmtp) Endpoint Unreachable Due to Misconfigured SASL Authentication Service

2. Summary
   * Secure SMTP endpoint not reachable
   * Mail clients unable to authenticate or configure accounts
   * Root cause traced to faulty `saslauthd` configuration

3. Affected System
   * Univention Corporate Server (UCS) 5.2-3 errata248
   * Components: fetchmail 6.4.37, mailserver 16.0, ox-connector 3.0.0, oxseforucs 7.10.6-ucs11
   * SASL-related packages:

     * sasl2-bin 2.1.28+dfsg-10
     * univention-sasl 10.0.2
     * libsasl2-modules-oauthbearer 1.0.0-5

4. Problem Description
   * SASL authentication via SMTP failed
   * `saslauthd` reported as active (exited) but not running properly
   * Missing parameter `START=yes` in `/etc/default/saslauthd` prevented automatic startup
   * Socket directory `/var/run/saslauthd/` not initialized correctly

5. Observed Symptoms
   * Mail clients unable to authenticate to securesmtp
   * Postfix logs repeated SASL connection and authentication failures
   * Typical log messages:

     * oauthbearer plugin initialization failed
     * cannot connect to saslauthd server: No such file or directory
     * SASL PLAIN authentication failed

6. Service Status
   * `saslauthd` appears as *active (exited)*
   * No running processes handling authentication requests
   * Socket files present but owned by `root` instead of `sasl`

7. Steps to Reproduce
   * Install or update UCS 5.2-3 with mailserver and SASL support
   * Check `/etc/default/saslauthd` — parameter `START=yes` missing
   * Restart `saslauthd` service
   * Attempt SMTP authentication via securesmtp (port 465 or 587)
   * Observe failed authentication and related log entries

8. Root Cause
   * Incomplete Univention template `/etc/univention/templates/files/etc/default/saslauthd`
   * Missing configuration line `START=yes`
   * Service starts but exits immediately, leaving Postfix without SASL communication
   * Root cause reference: Univention Bugzilla #46120

9. Expected Behavior
   * `saslauthd` runs automatically at system startup
   * Proper socket creation under `/var/run/saslauthd/` with correct permissions
   * Postfix successfully communicates with SASL for authentication

10. Actual Behavior
    * `saslauthd` exits immediately after startup
    * Postfix cannot connect to SASL socket
    * All SMTP authentication attempts fail

11. Workaround
    * Add missing line in `/etc/default/saslauthd`: `START=yes`
    * Restart `saslauthd` service
    * Confirm socket creation and ownership (`root:sasl`) under `/var/run/saslauthd/`
Comment 1 Florian Best univentionstaff 2025-11-12 09:32:16 CET 
caused by:

commit d31084fec326a7a034c76aa1f50f9052c70f31ab
Date:   Tue Oct 17 12:06:30 2023 +0200

    Bug #46120: rebase univention-sasl UCR templates
    
    START= options has been removed in upstream debian. Applied that changed
    to the UCR template

diff --git services/univention-sasl/conffiles/etc/default/saslauthd services/univention-sasl/conffiles/etc/default/saslauthd
index e343072008c..fd8761c4fc8 100644
--- services/univention-sasl/conffiles/etc/default/saslauthd
+++ services/univention-sasl/conffiles/etc/default/saslauthd
@@ -5,8 +5,6 @@
 # Please read /usr/share/doc/sasl2-bin/README.Debian for details.
 #
 
-# Should saslauthd run automatically on startup? (default: no)
-START=yes
 
 # Description of this saslauthd instance. Recommended.
 # (suggestion: SASL Authentication Daemon)