Re: SMTP AUTH issue

Fri, 13 Mar 2015 10:17:33 -0700 

Le 13/03/2015 17:14, Emmanuel Fusté a écrit :

Le 11/03/2015 16:54, Emmanuel Fusté a écrit :

Le 11/03/2015 16:39, Viktor Dukhovni a écrit :

On Wed, Mar 11, 2015 at 01:41:00PM +0100, Emmanuel Fust? wrote:


Hello,

On a heavy i/o loaded Postfix (2.11.0) server, i've got this behavior:

535 5.7.8 Error: authentication failed: Connection lost to authentication server
Mar 10 16:37:08 xxxxxxxxx postfix/smtpd[20613]: warning: x.x.x[x.x.x.x]: SASL 
CRAM-MD5 authentication failed: Connection lost to authentication server

Ok, I have an i/o load problem with this server, but a 535 error code is too 
much, I was expecting a 454 error code as stated in RFC2554.

A complete solution would require handling similar problems for
Cyrus SASL, but I never got a meaningful response to:

       http://archives.neohapsis.com/archives/postfix/2008-12/0405.html
       https://www.mail-archive.com/postfix-users@postfix.org/msg56129.html

You could try the patch below and report your results (presumably
for Dovecot).  It would be nice to have confirmation for Cyrus
also.


Thank you !

Will test and report the result asap.

Regards,
Emmanuel.

Ok work as expected ! Thank you.
But to be complete, we should change XSASL_AUTH_FAIL -> XSASL_AUTH_TEMP
in xsasl_dovecot_server_first (last and perhaps first occurrence too),
in xsasl_dovecot_server_next (last occurrence) .
Isn't it ?

Emmanuel.

Ok, what do you think about this one ?
I added XSASL_AUTH_TEMP in case of crashed / stopped dovecot auth server too. 

Emmanuel.


diff -r -u postfix-2.11.0.orig/src/smtpd/smtpd_sasl_glue.c 
postfix-2.11.0/src/smtpd/smtpd_sasl_glue.c
--- postfix-2.11.0.orig/src/smtpd/smtpd_sasl_glue.c     2013-12-24 
21:55:03.000000000 +0100
+++ postfix-2.11.0/src/smtpd/smtpd_sasl_glue.c  2015-03-13 14:19:54.000000000 
+0100
@@ -316,8 +316,12 @@
                 state->namaddr, sasl_method,
                 STR(state->sasl_reply));
        /* RFC 4954 Section 6. */
-       smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s",
-                        STR(state->sasl_reply));
+       if (status == XSASL_AUTH_TEMP)
+           smtpd_chat_reply(state, "454 4.7.0 Temporary authentication 
failure: %s",
+                            STR(state->sasl_reply));
+       else
+           smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: 
%s",
+                            STR(state->sasl_reply));
        return (-1);
     }
     /* RFC 4954 Section 6. */
diff -r -u postfix-2.11.0.orig/src/xsasl/xsasl_cyrus_server.c 
postfix-2.11.0/src/xsasl/xsasl_cyrus_server.c
--- postfix-2.11.0.orig/src/xsasl/xsasl_cyrus_server.c  2015-03-13 
18:01:50.000000000 +0100
+++ postfix-2.11.0/src/xsasl/xsasl_cyrus_server.c       2015-03-13 
14:19:54.000000000 +0100
@@ -477,7 +477,13 @@
        if (sasl_status == SASL_NOUSER)         /* privacy */
            sasl_status = SASL_BADAUTH;
        vstring_strcpy(reply, xsasl_cyrus_strerror(sasl_status));
-       return (XSASL_AUTH_FAIL);
+       switch (sasl_status) {
+       case SASL_TRYAGAIN:
+       case SASL_UNAVAIL:
+           return XSASL_AUTH_TEMP;
+       default:
+           return (XSASL_AUTH_FAIL);
+       }
     }
 }
 
diff -r -u postfix-2.11.0.orig/src/xsasl/xsasl_dovecot_server.c 
postfix-2.11.0/src/xsasl/xsasl_dovecot_server.c
--- postfix-2.11.0.orig/src/xsasl/xsasl_dovecot_server.c        2011-11-17 
22:53:25.000000000 +0100
+++ postfix-2.11.0/src/xsasl/xsasl_dovecot_server.c     2015-03-13 
17:43:34.000000000 +0100
@@ -580,7 +580,7 @@
     }
 
     vstring_strcpy(reply, "Connection lost to authentication server");
-    return XSASL_AUTH_FAIL;
+    return XSASL_AUTH_TEMP;
 }
 
 /* is_valid_base64 - input sanitized */
@@ -637,7 +637,7 @@
     for (i = 0; i < 2; i++) {
        if (!server->impl->sasl_stream) {
            if (xsasl_dovecot_server_connect(server->impl) < 0)
-               return (0);
+               return XSASL_AUTH_TEMP;
        }
        /* send the request */
        server->last_request_id = ++server->impl->request_id_counter;
@@ -668,7 +668,7 @@
 
        if (i == 1) {
            vstring_strcpy(reply, "Can't connect to authentication server");
-           return XSASL_AUTH_FAIL;
+           return XSASL_AUTH_TEMP;
        }
 
        /*
@@ -696,7 +696,7 @@
                    "CONT\t%u\t%s\n", server->last_request_id, request);
     if (vstream_fflush(server->impl->sasl_stream) == VSTREAM_EOF) {
        vstring_strcpy(reply, "Connection lost to authentication server");
-       return XSASL_AUTH_FAIL;
+       return XSASL_AUTH_TEMP;
     }
     return xsasl_dovecot_handle_reply(server, reply);
 }
diff -r -u postfix-2.11.0.orig/src/xsasl/xsasl.h 
postfix-2.11.0/src/xsasl/xsasl.h
--- postfix-2.11.0.orig/src/xsasl/xsasl.h       2009-04-19 01:39:16.000000000 
+0200
+++ postfix-2.11.0/src/xsasl/xsasl.h    2015-03-13 14:19:54.000000000 +0100
@@ -121,6 +121,7 @@
 #define XSASL_AUTH_DONE        3               /* Authentication completed */
 #define XSASL_AUTH_FORM        4               /* Cannot decode response */
 #define XSASL_AUTH_FAIL        5               /* Error */
+#define XSASL_AUTH_TEMP        6               /* Temporary error condition */
 
 /* LICENSE
 /* .ad

Reply via email to