baileytownsend.dev / pds-gatekeeper
Microservice to bring 2FA to self hosted PDSes
fork atom

No compatible authentication mechanism was found #4

open
opened by foxwitch.net

Pds and gatekeeper are running, there are no errors or any messages in the docker log of the gate keeper until an authentication is attempted. 2FA can both be enabled and disabled from bsky web, including entering the code sent to my mail for disabling it.

What works:

  • Login & Logout with 2FA disabled
  • enabling 2FA
  • disabling 2FA + receiving code via email.

What does not work:

  • login with 2FA enabled, see error below

Gatekeeper Logs:

bsky-gatekeeper  | 2025-10-16T23:51:35.555724Z ERROR pds_gatekeeper::helpers: Error sending the 2FA email: internal client error: No compatible authentication mechanism was found    
bsky-gatekeeper  | 2025-10-16T23:51:35.555775Z ERROR pds_gatekeeper::xrpc::com_atproto_server: Error during pre-auth check. This happens on the create_session endpoint when trying to decide if the user has access:
bsky-gatekeeper  |  internal client error: No compatible authentication mechanism was found
baileytownsend.dev

Hey I’m sorry I missed this. @fry69.dev hit a similar issue and pinged me. Their solution was for postfix and to set the ?tls=required at the end of the PDS smtp url. May try that. Which email provider are you using?

A thread talking about it a bit

https://bsky.app/profile/baileytownsend.dev/post/3m5o2ypt3hk2q

Here’s a list of different configurations to try https://docs.rs/lettre/latest/lettre/transport/smtp/struct.AsyncSmtpTransport.html#method.from_url

fry69.dev

FYI: I saw the same errors on my PDS using a self-hosted Postfix mail system to deliver the mail.

Turns out Postfix follows standard MUA and protocol guidelines and does not announce AUTH on port 587 before STARTTLS. And the lettre mailer from Rust is also very picky and does not upgrade via STARTTLS without nudging, unlike most MUAs, which try this on their own when they see it offered from the SMTP host.

TL;DR: Adding ?tls=required at the end of the SMTP URL fixed this problem for me. It is compatible to the nodemailer, which the main PDS implementation uses, verification emails still get sent, as do 2FA mails.

See here -> https://bsky.app/profile/testacc9123.altq.net/post/3m5o7asv3h22q

sign up or login to add to the discussion
Labels

None yet.

Participants 3
AT URI
at://did:plc:fmzbxvltokm3fei7hi7mt53z/sh.tangled.repo.issue/3m3dzwwlje422