Loading ...
Sorry, an error occurred while loading the content.

Fall back when dovecot SASL is unavailable?

Expand Messages
  • Hagen Fürstenau
    Hi, I m using dovecot for SASL authentication: smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
    Message 1 of 6 , Oct 1, 2009
    • 0 Attachment
      Hi,

      I'm using dovecot for SASL authentication:

      smtpd_sasl_auth_enable = yes
      smtpd_recipient_restrictions =
      permit_mynetworks
      permit_sasl_authenticated
      reject_unauth_destination
      smtpd_sasl_type = dovecot
      smtpd_sasl_path = private/auth-client

      Now if for whatever reason dovecot is not running, smtpd will also
      refuse to work, complaining "fatal: no SASL authentication mechanisms".
      I would much prefer it to fall back to "smtpd_sasl_auth_enable = no" in
      that case, so that mail for local recipients can still be received. Is
      this possible?

      Cheers,
      Hagen
    • Ralf Hildebrandt
      ... Indeed! ... It s the one problem we re having here as well: When updating dovecot, postfix won t work due to that... -- Ralf Hildebrandt Geschäftsbereich
      Message 2 of 6 , Oct 1, 2009
      • 0 Attachment
        * Hagen Fürstenau <hfuerstenau@...>:
        > Hi,
        >
        > I'm using dovecot for SASL authentication:
        >
        > smtpd_sasl_auth_enable = yes
        > smtpd_recipient_restrictions =
        > permit_mynetworks
        > permit_sasl_authenticated
        > reject_unauth_destination
        > smtpd_sasl_type = dovecot
        > smtpd_sasl_path = private/auth-client
        >
        > Now if for whatever reason dovecot is not running, smtpd will also
        > refuse to work, complaining "fatal: no SASL authentication mechanisms".

        Indeed!

        > I would much prefer it to fall back to "smtpd_sasl_auth_enable = no" in
        > that case, so that mail for local recipients can still be received. Is
        > this possible?

        It's the one problem we're having here as well: When updating dovecot,
        postfix won't work due to that...

        --
        Ralf Hildebrandt
        Geschäftsbereich IT | Abteilung Netzwerk
        Charité - Universitätsmedizin Berlin
        Campus Benjamin Franklin
        Hindenburgdamm 30 | D-12203 Berlin
        Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
        ralf.hildebrandt@... | http://www.charite.de
      • Eero Volotinen
        ... Yes, problem also exists when imap crashes or wrong startup order. -- Eero
        Message 3 of 6 , Oct 1, 2009
        • 0 Attachment
          >> Now if for whatever reason dovecot is not running, smtpd will also
          >> refuse to work, complaining "fatal: no SASL authentication mechanisms".
          >
          > Indeed!
          >
          >> I would much prefer it to fall back to "smtpd_sasl_auth_enable = no" in
          >> that case, so that mail for local recipients can still be received. Is
          >> this possible?
          >
          > It's the one problem we're having here as well: When updating dovecot,
          > postfix won't work due to that...

          Yes, problem also exists when imap crashes or wrong startup order.

          --
          Eero
        • Victor Duchovni
          ... This would incorrectly reject mail, due to a transient problem (authentication down). A better solution would be to 4XX fail all auth attempts. Frankly,
          Message 4 of 6 , Oct 1, 2009
          • 0 Attachment
            On Thu, Oct 01, 2009 at 03:08:31PM +0200, Hagen F??rstenau wrote:

            > I'm using dovecot for SASL authentication:
            >
            > smtpd_sasl_auth_enable = yes
            > smtpd_recipient_restrictions =
            > permit_mynetworks
            > permit_sasl_authenticated
            > reject_unauth_destination
            > smtpd_sasl_type = dovecot
            > smtpd_sasl_path = private/auth-client
            >
            > Now if for whatever reason dovecot is not running, smtpd will also
            > refuse to work, complaining "fatal: no SASL authentication mechanisms".
            > I would much prefer it to fall back to "smtpd_sasl_auth_enable = no" in
            > that case, so that mail for local recipients can still be received. Is
            > this possible?

            This would incorrectly reject mail, due to a transient problem
            (authentication down). A better solution would be to 4XX fail all auth
            attempts.

            Frankly, configure SASL just on port 587, and *require* SASL there, in
            which case, no point in running the service while SASL is down.

            Keep your dovecot server running.

            --
            Viktor.

            Disclaimer: off-list followups get on-list replies or get ignored.
            Please do not ignore the "Reply-To" header.

            To unsubscribe from the postfix-users list, visit
            http://www.postfix.org/lists.html or click the link below:
            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

            If my response solves your problem, the best way to thank me is to not
            send an "it worked, thanks" follow-up. If you must respond, please put
            "It worked, thanks" in the "Subject" so I can delete these quickly.
          • mouss
            ... for the auth part, only enable auth for submission (587). for the deliver part, make it after the filter, so that mail is still kept in the local queue.
            Message 5 of 6 , Oct 1, 2009
            • 0 Attachment
              Ralf Hildebrandt wrote:
              > * Hagen Fürstenau <hfuerstenau@...>:
              >> Hi,
              >>
              >> I'm using dovecot for SASL authentication:
              >>
              >> smtpd_sasl_auth_enable = yes
              >> smtpd_recipient_restrictions =
              >> permit_mynetworks
              >> permit_sasl_authenticated
              >> reject_unauth_destination
              >> smtpd_sasl_type = dovecot
              >> smtpd_sasl_path = private/auth-client
              >>
              >> Now if for whatever reason dovecot is not running, smtpd will also
              >> refuse to work, complaining "fatal: no SASL authentication mechanisms".
              >
              > Indeed!
              >
              >> I would much prefer it to fall back to "smtpd_sasl_auth_enable = no" in
              >> that case, so that mail for local recipients can still be received. Is
              >> this possible?
              >
              > It's the one problem we're having here as well: When updating dovecot,
              > postfix won't work due to that...
              >

              for the auth part, only enable auth for submission (587).

              for the "deliver" part, make it after the filter, so that mail is still
              kept in the local queue.

              I used to stop postfix while upgrading dovecot, but I don't do that
              anymore. I now only stop postfix if upgrading mysql (I thought about
              dumping the db and changing postfix config, but this is too much...).
            • Hagen Fürstenau
              ... That s a good idea, thanks. Cheers, Hagen
              Message 6 of 6 , Oct 2, 2009
              • 0 Attachment
                > Frankly, configure SASL just on port 587, and *require* SASL there, in
                > which case, no point in running the service while SASL is down.

                That's a good idea, thanks.

                Cheers,
                Hagen
              Your message has been successfully submitted and would be delivered to recipients shortly.