535 communication auth_error ai_generated true

535 5.7.8 Authentication credentials invalid: SMTP server rejected username/password

ID: communication/smtp-535-authentication-credentials-invalid

Also available as: JSON · Markdown · 中文
90%Fix Rate
88%Confidence
1Evidence
2023-06-20First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Postfix 3.7 active
Exim 4.96 active
Microsoft Exchange 2019 active
SendGrid SMTP relay active

Root Cause

SMTP authentication failed because the provided username or password does not match the server's authentication backend, often due to app-specific password requirements or OAuth token expiration.

generic

中文

SMTP 身份验证失败,因为提供的用户名或密码与服务器的身份验证后端不匹配,通常是由于应用专用密码要求或 OAuth 令牌过期。

Official Documentation

https://datatracker.ietf.org/doc/html/rfc4954

Workarounds

  1. 95% success Generate an app-specific password for SMTP in the email provider's security settings, e.g., Google: https://myaccount.google.com/apppasswords, then update SMTP client config with that password. 
    Generate an app-specific password for SMTP in the email provider's security settings, e.g., Google: https://myaccount.google.com/apppasswords, then update SMTP client config with that password.
  2. 85% success Switch to OAuth 2.0 authentication for SMTP if supported, e.g., using `XOAUTH2` mechanism with a refreshed access token. 
    Switch to OAuth 2.0 authentication for SMTP if supported, e.g., using `XOAUTH2` mechanism with a refreshed access token.
  3. 90% success Verify credentials by testing with `openssl s_client -connect smtp.example.com:587 -starttls smtp` and manually issuing `AUTH LOGIN` with base64-encoded username/password. 
    Verify credentials by testing with `openssl s_client -connect smtp.example.com:587 -starttls smtp` and manually issuing `AUTH LOGIN` with base64-encoded username/password.

中文步骤

  1. 在邮件提供商的安全设置中生成应用专用密码,例如 Google:https://myaccount.google.com/apppasswords,然后用该密码更新 SMTP 客户端配置。
  2. 如果支持,切换到 OAuth 2.0 身份验证用于 SMTP,例如使用 `XOAUTH2` 机制并配合刷新的访问令牌。
  3. 通过 `openssl s_client -connect smtp.example.com:587 -starttls smtp` 测试凭据,手动使用 base64 编码的用户名/密码执行 `AUTH LOGIN`。

Dead Ends

Common approaches that don't work:

  1. Re-enter the same credentials in the SMTP client configuration 70% fail

    If credentials are invalid or expired, re-entering them does not resolve the underlying issue (e.g., app password required).

  2. Disable SMTP authentication entirely in client settings 85% fail

    Most SMTP servers require authentication for relay; disabling it may cause 'Relay access denied' errors.

  3. Use the same password as the webmail login without generating an app-specific password 75% fail

    Services like Gmail, Outlook, and Yahoo require app-specific passwords for SMTP; using the primary account password often fails.