On Wed, Mar 11, 2015 at 01:41:00PM +0100, Emmanuel Fust? wrote:
> Hello,
>
> On a heavy i/o loaded Postfix (2.11.0) server, i've got this behavior:
>
> 535 5.7.8 Error: authentication failed: Connection lost to authentication
> server
> Mar 10 16:37:08 xxxxxxxxx postfix/smtpd[20613]: warning: x.x.x[x.x.x.x]: SASL
> CRAM-MD5 authentication failed: Connection lost to authentication server
>
> Ok, I have an i/o load problem with this server, but a 535 error code is too
> much, I was expecting a 454 error code as stated in RFC2554.
A complete solution would require handling similar problems for
Cyrus SASL, but I never got a meaningful response to:
http://archives.neohapsis.com/archives/postfix/2008-12/0405.html
https://www.mail-archive.com/postfix-users@postfix.org/msg56129.html
You could try the patch below and report your results (presumably
for Dovecot). It would be nice to have confirmation for Cyrus
also.
--
Viktor.
diff --git a/src/xsasl/xsasl.h b/src/xsasl/xsasl.h
--- a/src/xsasl/xsasl.h
+++ b/src/xsasl/xsasl.h
@@ -121,6 +121,7 @@ extern ARGV *xsasl_client_types(void);
#define XSASL_AUTH_DONE 3 /* Authentication completed */
#define XSASL_AUTH_FORM 4 /* Cannot decode response */
#define XSASL_AUTH_FAIL 5 /* Error */
+#define XSASL_AUTH_TEMP 6 /* Temporary error condition */
/* LICENSE
/* .ad
diff --git a/src/smtpd/smtpd_sasl_glue.c b/src/smtpd/smtpd_sasl_glue.c
--- a/src/smtpd/smtpd_sasl_glue.c
+++ b/src/smtpd/smtpd_sasl_glue.c
@@ -316,8 +316,12 @@ int smtpd_sasl_authenticate(SMTPD_STATE *state,
state->namaddr, sasl_method,
STR(state->sasl_reply));
/* RFC 4954 Section 6. */
- smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s",
- STR(state->sasl_reply));
+ if (status == XSASL_AUTH_TEMP)
+ smtpd_chat_reply(state, "454 4.7.0 Temporary authentication
failure: %s",
+ STR(state->sasl_reply));
+ else
+ smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed:
%s",
+ STR(state->sasl_reply));
return (-1);
}
/* RFC 4954 Section 6. */
diff --git a/src/xsasl/xsasl_cyrus_server.c b/src/xsasl/xsasl_cyrus_server.c
--- a/src/xsasl/xsasl_cyrus_server.c
+++ b/src/xsasl/xsasl_cyrus_server.c
@@ -474,7 +474,13 @@ static int xsasl_cyrus_server_auth_response(int
sasl_status,
if (sasl_status == SASL_NOUSER) /* privacy */
sasl_status = SASL_BADAUTH;
vstring_strcpy(reply, xsasl_cyrus_strerror(sasl_status));
- return (XSASL_AUTH_FAIL);
+ switch (sasl_status) {
+ case SASL_TRYAGAIN:
+ case SASL_UNAVAIL:
+ return XSASL_AUTH_TEMP;
+ default:
+ return (XSASL_AUTH_FAIL);
+ }
}
}
diff --git a/src/xsasl/xsasl_dovecot_server.c b/src/xsasl/xsasl_dovecot_server.c
--- a/src/xsasl/xsasl_dovecot_server.c
+++ b/src/xsasl/xsasl_dovecot_server.c
@@ -598,7 +598,7 @@ static int xsasl_dovecot_handle_reply(XSASL_DOVECOT_SERVER
*server,
}
vstring_strcpy(reply, "Connection lost to authentication server");
- return XSASL_AUTH_FAIL;
+ return XSASL_AUTH_TEMP;
}
/* is_valid_base64 - input sanitized */
