Configuring an email client like Outlook or Thunderbird to send through a Plesk server should take five minutes. But when Plesk SMTP authentication fails, users see cryptic errors like 535 Authentication Failed, 534 Authentication mechanism is too weak, or just Cannot connect to the outgoing mail server. This guide covers every root cause — from wrong port settings and encryption mismatches to Postfix SASL configuration and Dovecot authentication issues.
1. Verify Email Client Settings First
Before touching any server configuration, confirm the email client is configured correctly. The majority of "SMTP authentication failed" reports in Plesk are caused by wrong port or encryption settings in the mail client, not a server problem.
Correct SMTP settings for a Plesk server:
- SMTP server hostname: use your server's hostname (found in Plesk > Tools & Settings > Server Settings), not just your domain name
- Port 465 + SSL/TLS — recommended for direct SSL encryption
- Port 587 + STARTTLS — recommended for submission with upgrade
- Port 25 — for server-to-server relay only; most ISPs block outbound port 25
- Authentication: Normal password (plain) or Encrypted password (LOGIN) — avoid NTLM or Kerberos for Plesk
- Username: the full email address (e.g.,
user@yourdomain.com), not justuser
In Outlook: go to File > Account Settings > Email > More Settings > Outgoing Server and confirm "My outgoing server requires authentication" is checked.
In Thunderbird: go to Tools > Account Settings > Outgoing Server (SMTP), click Edit, and set Security to SSL/TLS (port 465) or STARTTLS (port 587), with Authentication Method set to Normal password.
💡 None of these worked? Skip the guesswork.
Get Expert Help →2. Check the Postfix SASL Configuration on the Server
If the email client settings are correct but authentication still fails, the Postfix SASL (Simple Authentication and Security Layer) configuration on the Plesk server may be broken or missing a required line.
grep -E "smtpd_sasl|smtpd_relay_restrictions|smtpd_recipient_restrictions" /etc/postfix/main.cfYou must see permit_sasl_authenticated in the relay or recipient restrictions. A correct configuration looks like:
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostnameIf you see smtpd_sasl_security_options = noplaintext, this blocks plain-text authentication mechanisms — which is what most email clients use over SSL. Comment out or remove this line:
sed -i 's/^smtpd_sasl_security_options = noplaintext/#smtpd_sasl_security_options = noplaintext/' /etc/postfix/main.cfpostfix check && systemctl reload postfixsystemctl status dovecotIf Dovecot is inactive or failed, restart it:
systemctl restart dovecot && systemctl enable dovecotls -la /var/spool/postfix/private/auth
# or:
ls -la /var/run/dovecot/auth-clientIf the socket is missing after Dovecot restart, check Dovecot's auth configuration:
grep -r "service auth" /etc/dovecot/conf.d/10-master.conftelnet localhost 587After connecting, type EHLO test. You should see 250-AUTH LOGIN PLAIN in the response. If AUTH mechanisms are not listed, SASL authentication is not enabled.
ss -tlnp | grep -E ":25|:465|:587"Port 587 (submission) and/or 465 (smtps) should appear. If they are missing, check the Postfix master.cf configuration:
grep -E "^submission|^smtps" /etc/postfix/master.cfUncomment or add the submission and smtps entries if they are missing.
Log in to Plesk > Tools & Settings > Firewall and ensure ports 465 (SMTPS) and 587 (SMTP Submission) are set to Allow.
iptables -L INPUT -n --line-numbers | grep -E "465|587|25"If these ports are blocked by a DROP or REJECT rule, add allow rules:
iptables -I INPUT -p tcp --dport 587 -j ACCEPT
iptables -I INPUT -p tcp --dport 465 -j ACCEPT
service iptables saveLog in to Plesk > Domains > your domain > Mail > your email address > Change Password. Set a new password and update it in the email client.
plesk bin mail -u user@yourdomain.com -passwd "NewSecurePassword123!"Navigate to https://yourdomain.com/webmail or https://your-server-hostname/webmail and log in with the email and password. If Roundcube webmail works but the email client does not, the server credentials are correct and the issue is in the client's settings.
tail -100 /var/log/maillog | grep -E "authentication|SASL|535"
tail -100 /var/log/dovecot.log | grep -E "auth|failed|error"systemctl status amavis
tail -50 /var/log/mail.log | grep amavisIf Plesk's mail configuration has drifted from its expected state, rebuild it:
plesk repair mail -yThis reconfigures Postfix and Dovecot to match Plesk's stored settings and fixes most authentication issues introduced by manual edits.
If you need expert help getting Plesk email authentication working across all your client domains, CloudHouse's managed Plesk support team can diagnose and fix SMTP authentication failures remotely — usually within the hour.
Edit /etc/postfix/main.cf and add:
debug_peer_list = 127.0.0.1
debug_peer_level = 2Then reload Postfix and watch the log:
systemctl reload postfix
tail -f /var/log/maillog | grep -E "SASL|AUTH|535|debug"The debug log will show exactly which authentication mechanism was attempted and at which step it failed.
sed -i '/debug_peer_list/d; /debug_peer_level/d' /etc/postfix/main.cf
systemctl reload postfix