Loading ...
Sorry, an error occurred while loading the content.

Re: Fall back when dovecot SASL is unavailable?

Expand Messages
  • Victor Duchovni
    ... This would incorrectly reject mail, due to a transient problem (authentication down). A better solution would be to 4XX fail all auth attempts. Frankly,
    Message 1 of 6 , Oct 1, 2009
    • 0 Attachment
      On Thu, Oct 01, 2009 at 03:08:31PM +0200, Hagen F??rstenau wrote:

      > I'm using dovecot for SASL authentication:
      >
      > smtpd_sasl_auth_enable = yes
      > smtpd_recipient_restrictions =
      > permit_mynetworks
      > permit_sasl_authenticated
      > reject_unauth_destination
      > smtpd_sasl_type = dovecot
      > smtpd_sasl_path = private/auth-client
      >
      > Now if for whatever reason dovecot is not running, smtpd will also
      > refuse to work, complaining "fatal: no SASL authentication mechanisms".
      > I would much prefer it to fall back to "smtpd_sasl_auth_enable = no" in
      > that case, so that mail for local recipients can still be received. Is
      > this possible?

      This would incorrectly reject mail, due to a transient problem
      (authentication down). A better solution would be to 4XX fail all auth
      attempts.

      Frankly, configure SASL just on port 587, and *require* SASL there, in
      which case, no point in running the service while SASL is down.

      Keep your dovecot server running.

      --
      Viktor.

      Disclaimer: off-list followups get on-list replies or get ignored.
      Please do not ignore the "Reply-To" header.

      To unsubscribe from the postfix-users list, visit
      http://www.postfix.org/lists.html or click the link below:
      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

      If my response solves your problem, the best way to thank me is to not
      send an "it worked, thanks" follow-up. If you must respond, please put
      "It worked, thanks" in the "Subject" so I can delete these quickly.
    • mouss
      ... for the auth part, only enable auth for submission (587). for the deliver part, make it after the filter, so that mail is still kept in the local queue.
      Message 2 of 6 , Oct 1, 2009
      • 0 Attachment
        Ralf Hildebrandt wrote:
        > * Hagen F├╝rstenau <hfuerstenau@...>:
        >> Hi,
        >>
        >> I'm using dovecot for SASL authentication:
        >>
        >> smtpd_sasl_auth_enable = yes
        >> smtpd_recipient_restrictions =
        >> permit_mynetworks
        >> permit_sasl_authenticated
        >> reject_unauth_destination
        >> smtpd_sasl_type = dovecot
        >> smtpd_sasl_path = private/auth-client
        >>
        >> Now if for whatever reason dovecot is not running, smtpd will also
        >> refuse to work, complaining "fatal: no SASL authentication mechanisms".
        >
        > Indeed!
        >
        >> I would much prefer it to fall back to "smtpd_sasl_auth_enable = no" in
        >> that case, so that mail for local recipients can still be received. Is
        >> this possible?
        >
        > It's the one problem we're having here as well: When updating dovecot,
        > postfix won't work due to that...
        >

        for the auth part, only enable auth for submission (587).

        for the "deliver" part, make it after the filter, so that mail is still
        kept in the local queue.

        I used to stop postfix while upgrading dovecot, but I don't do that
        anymore. I now only stop postfix if upgrading mysql (I thought about
        dumping the db and changing postfix config, but this is too much...).
      • Hagen F├╝rstenau
        ... That s a good idea, thanks. Cheers, Hagen
        Message 3 of 6 , Oct 2, 2009
        • 0 Attachment
          > Frankly, configure SASL just on port 587, and *require* SASL there, in
          > which case, no point in running the service while SASL is down.

          That's a good idea, thanks.

          Cheers,
          Hagen
        Your message has been successfully submitted and would be delivered to recipients shortly.