On 2016-04-06 16:19, Benning, Markus wrote:
In sasl.h:
#define SASL_FAIL -1 /* generic failure */
Could this one be added to the AUTH_TEMP case?
I took a look at the cyrus-sasl code in lib/checkpw.c and most error
cases there
return SASL_FAIL.
Wrong credentails return SASL_BADAUTH, SASL_NOAUTHZ
or something like SASL_PWLOCK, etc.
A list of codes is in <sasl/sasl.h> but i could not find much
documentation about its usage.
As server side error should result in an temporary smtp error code
i suggest to map at least SASL_FAIL to the XSASL_AUTH_TEMP status.
diff --git a/postfix/src/xsasl/xsasl_cyrus_server.c
b/postfix/src/xsasl/xsasl_cyrus_server.c
index 95c470d..91f93ab 100644
--- a/postfix/src/xsasl/xsasl_cyrus_server.c
+++ b/postfix/src/xsasl/xsasl_cyrus_server.c
@@ -480,6 +480,8 @@ static int xsasl_cyrus_server_auth_response(int
sasl_status,
sasl_status = SASL_BADAUTH;
vstring_strcpy(reply, xsasl_cyrus_strerror(sasl_status));
switch (sasl_status) {
+ case SASL_FAIL:
+ case SASL_NOMEM:
case SASL_TRYAGAIN:
case SASL_UNAVAIL:
return XSASL_AUTH_TEMP;
--
https://markusbenning.de/
