Loading ...
Sorry, an error occurred while loading the content.

SASL defer rather then reject

Expand Messages
  • Patrik Båt
    Hello! When saslauthd crashes or beeing stopped, mails are bounced. eg: 535 5.7.8 Error: authentication failed: generic failure Can I somehow change it to just
    Message 1 of 13 , Feb 4, 2014
    • 0 Attachment
      Hello!

      When saslauthd crashes or beeing stopped, mails are bounced.
      eg: 535 5.7.8 Error: authentication failed: generic failure

      Can I somehow change it to just defer?

      // Patrik
    • lists@rhsoft.net
      ... that makes no sense what do you do with that messages later? how do you authenticate that messages later? bounce them all and get a backscatter?
      Message 2 of 13 , Feb 4, 2014
      • 0 Attachment
        Am 04.02.2014 14:57, schrieb Patrik Båt:
        > When saslauthd crashes or beeing stopped, mails are bounced.
        > eg: 535 5.7.8 Error: authentication failed: generic failure
        >
        > Can I somehow change it to just defer?

        that makes no sense

        what do you do with that messages later?
        how do you authenticate that messages later?
        bounce them all and get a backscatter?
      • LuKreme
        ... Well, first off, why is saslauthd crashing? Fix that. ... Are you talking about SASL on submission? because that would not classify as a bounce. Are you
        Message 3 of 13 , Feb 4, 2014
        • 0 Attachment
          On 04 Feb 2014, at 06:57 , Patrik Båt <pb@...> wrote:

          > When saslauthd crashes or beeing stopped, mails are bounced.

          Well, first off, why is saslauthd crashing? Fix that.

          > eg: 535 5.7.8 Error: authentication failed: generic failure

          Are you talking about SASL on submission? because that would not classify as a bounce. Are you using and requiring SASL for delivery? That’s not a good idea.


          --
          You know, in a world in which Bush and Blair can be nominated for the
          Nobel Peace Prize, "for having dared to take the necessary decision to
          launch a war on Iraq without having the support of the UN" I find myself
          agreeing with Tom Lehrer: satire is dead. - Neil Gaiman
        • Patrik Båt
          ... saslauthd[33257]: DEBUG: auth_pam: pam_authenticate failed: Memory buffer error I m getting this on about 2-4 days of running saslauthd, restart fixes
          Message 4 of 13 , Feb 4, 2014
          • 0 Attachment
            On tis 4 feb 2014 15:13:03, LuKreme wrote:
            >
            > On 04 Feb 2014, at 06:57 , Patrik Båt <pb@...> wrote:
            >
            >> When saslauthd crashes or beeing stopped, mails are bounced.
            >
            > Well, first off, why is saslauthd crashing? Fix that.
            saslauthd[33257]: DEBUG: auth_pam: pam_authenticate failed: Memory
            buffer error

            I'm getting this on about 2-4 days of running saslauthd, restart
            "fixes" the problem.
            >
            >> eg: 535 5.7.8 Error: authentication failed: generic failure
            >
            > Are you talking about SASL on submission? because that would not classify as a bounce. Are you using and requiring SASL for delivery? That’s not a good idea.

            It is setup like this:

            Client->MSA->SASL-ME->INTERNET

            So the bounce is to the MSA.
          • Viktor Dukhovni
            ... If you have a dedicated submission/relay service to which *all* clients must authenticate, then you can set the restrictions to defer after allowing
            Message 5 of 13 , Feb 4, 2014
            • 0 Attachment
              On Tue, Feb 04, 2014 at 02:57:42PM +0100, Patrik B?t wrote:

              > When saslauthd crashes or beeing stopped, mails are bounced.
              > eg: 535 5.7.8 Error: authentication failed: generic failure
              >
              > Can I somehow change it to just defer?

              If you have a dedicated submission/relay service to which *all*
              clients must authenticate, then you can set the restrictions to
              "defer" after allowing authenticated users.

              main.cf:
              # Postfix >= 2.10 variant (uncomment below and comment-out variant for
              # earlier versions.
              #
              #submission_relay_restrictions = permit_sasl_authenticated, defer
              #submission_recipient_restrictions =

              # Earlier versions variant
              #
              submission_recipient_restrictions = permit_sasl_authenticated, defer

              master.cf:
              # Replace "submission" with appropriate IP:port as required.
              # Replace "submission" with appropriate IP:port as required.
              submission inet n ... smtpd
              -o smtpd_client_restrictions=
              -o smtpd_helo_restrictions=
              -o smtpd_sender_restrictions=
              # Uncomment with Postfix >= 2.10
              # -o smtpd_relay_restrictions=$submission_relay_restrictions
              -o smtpd_recipient_restrictions=$submission_recipient_restrictions
              -o smtpd_data_restrictions=
              -o smtpd_end_of_data_restrictions=
              ...

              Do not do this on any SMTP listener that also handles inbound mail
              (i.e. port 25 MX host for your domain) and thus cannot enforce authentication
              for all clients.

              --
              Viktor.
            • Patrik Båt
              ... Thanks alot Victor! I ve done this tho, but it wasn t working, so I have restrictions somewhere else also, so i need to figur that out, but then my
              Message 6 of 13 , Feb 4, 2014
              • 0 Attachment
                On tis 4 feb 2014 15:36:34, Viktor Dukhovni wrote:
                > On Tue, Feb 04, 2014 at 02:57:42PM +0100, Patrik B?t wrote:
                >
                >> When saslauthd crashes or beeing stopped, mails are bounced.
                >> eg: 535 5.7.8 Error: authentication failed: generic failure
                >>
                >> Can I somehow change it to just defer?
                >
                > If you have a dedicated submission/relay service to which *all*
                > clients must authenticate, then you can set the restrictions to
                > "defer" after allowing authenticated users.
                >
                > main.cf:
                > # Postfix >= 2.10 variant (uncomment below and comment-out variant for
                > # earlier versions.
                > #
                > #submission_relay_restrictions = permit_sasl_authenticated, defer
                > #submission_recipient_restrictions =
                >
                > # Earlier versions variant
                > #
                > submission_recipient_restrictions = permit_sasl_authenticated, defer
                >
                > master.cf:
                > # Replace "submission" with appropriate IP:port as required.
                > # Replace "submission" with appropriate IP:port as required.
                > submission inet n ... smtpd
                > -o smtpd_client_restrictions=
                > -o smtpd_helo_restrictions=
                > -o smtpd_sender_restrictions=
                > # Uncomment with Postfix >= 2.10
                > # -o smtpd_relay_restrictions=$submission_relay_restrictions
                > -o smtpd_recipient_restrictions=$submission_recipient_restrictions
                > -o smtpd_data_restrictions=
                > -o smtpd_end_of_data_restrictions=
                > ...
                >
                > Do not do this on any SMTP listener that also handles inbound mail
                > (i.e. port 25 MX host for your domain) and thus cannot enforce authentication
                > for all clients.
                >

                Thanks alot Victor!

                I've done this tho, but it wasn't working, so I have restrictions
                somewhere else also, so i need to figur that out, but then my
                conclusion wasn't that off :)
              • Patrik Båt
                ... Hmm, Victor are you sure this works? I m running postfix version 2.9.6 on Debian Wheezy.
                Message 7 of 13 , Feb 5, 2014
                • 0 Attachment
                  On tis 4 feb 2014 15:42:04, Patrik Båt wrote:
                  > On tis 4 feb 2014 15:36:34, Viktor Dukhovni wrote:
                  >> On Tue, Feb 04, 2014 at 02:57:42PM +0100, Patrik B?t wrote:
                  >>
                  >>> When saslauthd crashes or beeing stopped, mails are bounced.
                  >>> eg: 535 5.7.8 Error: authentication failed: generic failure
                  >>>
                  >>> Can I somehow change it to just defer?
                  >>
                  >> If you have a dedicated submission/relay service to which *all*
                  >> clients must authenticate, then you can set the restrictions to
                  >> "defer" after allowing authenticated users.
                  >>
                  >> main.cf:
                  >> # Postfix >= 2.10 variant (uncomment below and comment-out variant for
                  >> # earlier versions.
                  >> #
                  >> #submission_relay_restrictions = permit_sasl_authenticated, defer
                  >> #submission_recipient_restrictions =
                  >>
                  >> # Earlier versions variant
                  >> #
                  >> submission_recipient_restrictions = permit_sasl_authenticated, defer
                  >>
                  >> master.cf:
                  >> # Replace "submission" with appropriate IP:port as required.
                  >> # Replace "submission" with appropriate IP:port as required.
                  >> submission inet n ... smtpd
                  >> -o smtpd_client_restrictions=
                  >> -o smtpd_helo_restrictions=
                  >> -o smtpd_sender_restrictions=
                  >> # Uncomment with Postfix >= 2.10
                  >> # -o smtpd_relay_restrictions=$submission_relay_restrictions
                  >> -o smtpd_recipient_restrictions=$submission_recipient_restrictions
                  >> -o smtpd_data_restrictions=
                  >> -o smtpd_end_of_data_restrictions=
                  >> ...
                  >>
                  >> Do not do this on any SMTP listener that also handles inbound mail
                  >> (i.e. port 25 MX host for your domain) and thus cannot enforce authentication
                  >> for all clients.
                  >>
                  >
                  > Thanks alot Victor!
                  >
                  > I've done this tho, but it wasn't working, so I have restrictions
                  > somewhere else also, so i need to figur that out, but then my
                  > conclusion wasn't that off :)
                  >

                  Hmm, Victor are you sure this works?
                  I'm running postfix version 2.9.6 on Debian Wheezy.
                • Patrik Båt
                  ... I think there is no option to change this atm :P eg: (line 314 in postfix-2.9.6/src/smtpd/smtpd_sasl_glue.c) if (status != XSASL_AUTH_DONE) { msg_warn( %s:
                  Message 8 of 13 , Feb 5, 2014
                  • 0 Attachment
                    On ons 5 feb 2014 09:17:57, Patrik Båt wrote:
                    > On tis 4 feb 2014 15:42:04, Patrik Båt wrote:
                    >> On tis 4 feb 2014 15:36:34, Viktor Dukhovni wrote:
                    >>> On Tue, Feb 04, 2014 at 02:57:42PM +0100, Patrik B?t wrote:
                    >>>
                    >>>> When saslauthd crashes or beeing stopped, mails are bounced.
                    >>>> eg: 535 5.7.8 Error: authentication failed: generic failure
                    >>>>
                    >>>> Can I somehow change it to just defer?
                    >>>
                    >>> If you have a dedicated submission/relay service to which *all*
                    >>> clients must authenticate, then you can set the restrictions to
                    >>> "defer" after allowing authenticated users.
                    >>>
                    >>> main.cf:
                    >>> # Postfix >= 2.10 variant (uncomment below and comment-out variant for
                    >>> # earlier versions.
                    >>> #
                    >>> #submission_relay_restrictions = permit_sasl_authenticated, defer
                    >>> #submission_recipient_restrictions =
                    >>>
                    >>> # Earlier versions variant
                    >>> #
                    >>> submission_recipient_restrictions = permit_sasl_authenticated, defer
                    >>>
                    >>> master.cf:
                    >>> # Replace "submission" with appropriate IP:port as required.
                    >>> # Replace "submission" with appropriate IP:port as required.
                    >>> submission inet n ... smtpd
                    >>> -o smtpd_client_restrictions=
                    >>> -o smtpd_helo_restrictions=
                    >>> -o smtpd_sender_restrictions=
                    >>> # Uncomment with Postfix >= 2.10
                    >>> # -o smtpd_relay_restrictions=$submission_relay_restrictions
                    >>> -o smtpd_recipient_restrictions=$submission_recipient_restrictions
                    >>> -o smtpd_data_restrictions=
                    >>> -o smtpd_end_of_data_restrictions=
                    >>> ...
                    >>>
                    >>> Do not do this on any SMTP listener that also handles inbound mail
                    >>> (i.e. port 25 MX host for your domain) and thus cannot enforce authentication
                    >>> for all clients.
                    >>>
                    >>
                    >> Thanks alot Victor!
                    >>
                    >> I've done this tho, but it wasn't working, so I have restrictions
                    >> somewhere else also, so i need to figur that out, but then my
                    >> conclusion wasn't that off :)
                    >>
                    >
                    > Hmm, Victor are you sure this works?
                    > I'm running postfix version 2.9.6 on Debian Wheezy.
                    >

                    I think there is no option to change this atm :P

                    eg: (line 314 in postfix-2.9.6/src/smtpd/smtpd_sasl_glue.c)

                    if (status != XSASL_AUTH_DONE) {
                    msg_warn("%s: SASL %s authentication failed: %s",
                    state->namaddr, sasl_method,
                    STR(state->sasl_reply));
                    /* RFC 4954 Section 6. */
                    smtpd_chat_reply(state, "535 5.7.8 Error: authentication
                    failed: %s",
                    STR(state->sasl_reply));
                    return (-1);
                    }
                  • Patrik Båt
                    ... from RFC: 535 5.7.8 Authentication credentials invalid This response to the AUTH command indicates that the authentication failed due to invalid or
                    Message 9 of 13 , Feb 5, 2014
                    • 0 Attachment
                      On ons 5 feb 2014 09:43:52, Patrik Båt wrote:
                      > On ons 5 feb 2014 09:17:57, Patrik Båt wrote:
                      >> On tis 4 feb 2014 15:42:04, Patrik Båt wrote:
                      >>> On tis 4 feb 2014 15:36:34, Viktor Dukhovni wrote:
                      >>>> On Tue, Feb 04, 2014 at 02:57:42PM +0100, Patrik B?t wrote:
                      >>>>
                      >>>>> When saslauthd crashes or beeing stopped, mails are bounced.
                      >>>>> eg: 535 5.7.8 Error: authentication failed: generic failure
                      >>>>>
                      >>>>> Can I somehow change it to just defer?
                      >>>>
                      >>>> If you have a dedicated submission/relay service to which *all*
                      >>>> clients must authenticate, then you can set the restrictions to
                      >>>> "defer" after allowing authenticated users.
                      >>>>
                      >>>> main.cf:
                      >>>> # Postfix >= 2.10 variant (uncomment below and comment-out variant for
                      >>>> # earlier versions.
                      >>>> #
                      >>>> #submission_relay_restrictions = permit_sasl_authenticated, defer
                      >>>> #submission_recipient_restrictions =
                      >>>>
                      >>>> # Earlier versions variant
                      >>>> #
                      >>>> submission_recipient_restrictions = permit_sasl_authenticated, defer
                      >>>>
                      >>>> master.cf:
                      >>>> # Replace "submission" with appropriate IP:port as required.
                      >>>> # Replace "submission" with appropriate IP:port as required.
                      >>>> submission inet n ... smtpd
                      >>>> -o smtpd_client_restrictions=
                      >>>> -o smtpd_helo_restrictions=
                      >>>> -o smtpd_sender_restrictions=
                      >>>> # Uncomment with Postfix >= 2.10
                      >>>> # -o smtpd_relay_restrictions=$submission_relay_restrictions
                      >>>> -o smtpd_recipient_restrictions=$submission_recipient_restrictions
                      >>>> -o smtpd_data_restrictions=
                      >>>> -o smtpd_end_of_data_restrictions=
                      >>>> ...
                      >>>>
                      >>>> Do not do this on any SMTP listener that also handles inbound mail
                      >>>> (i.e. port 25 MX host for your domain) and thus cannot enforce authentication
                      >>>> for all clients.
                      >>>>
                      >>>
                      >>> Thanks alot Victor!
                      >>>
                      >>> I've done this tho, but it wasn't working, so I have restrictions
                      >>> somewhere else also, so i need to figur that out, but then my
                      >>> conclusion wasn't that off :)
                      >>>
                      >>
                      >> Hmm, Victor are you sure this works?
                      >> I'm running postfix version 2.9.6 on Debian Wheezy.
                      >>
                      >
                      > I think there is no option to change this atm :P
                      >
                      > eg: (line 314 in postfix-2.9.6/src/smtpd/smtpd_sasl_glue.c)
                      >
                      > if (status != XSASL_AUTH_DONE) {
                      > msg_warn("%s: SASL %s authentication failed: %s",
                      > state->namaddr, sasl_method,
                      > STR(state->sasl_reply));
                      > /* RFC 4954 Section 6. */
                      > smtpd_chat_reply(state, "535 5.7.8 Error: authentication
                      > failed: %s",
                      > STR(state->sasl_reply));
                      > return (-1);
                      > }
                      >

                      from RFC:
                      535 5.7.8 Authentication credentials invalid

                      This response to the AUTH command indicates that the authentication
                      failed due to invalid or insufficient authentication credentials. In
                      this case, the client SHOULD ask the user to supply new credentials
                      (such as by presenting a password dialog box).


                      But if sasl auth daemon is not working prop. or is down i rather see
                      this:

                      454 4.7.0 Temporary authentication failure

                      This response to the AUTH command indicates that the authentication
                      failed due to a temporary server failure. The client SHOULD NOT
                      prompt the user for another password in this case, and should instead
                      notify the user of server failure.


                      Anyone agrees ?
                    • Patrik Båt
                      ... Maybe check that SASL give a respons, and if not just tmp fail it. or someother check. ... 19:03:44.000000000 +0100 +++ smtpd_sasl_glue.c 2014-02-05
                      Message 10 of 13 , Feb 5, 2014
                      • 0 Attachment
                        On ons 5 feb 2014 09:50:32, Patrik Båt wrote:
                        > On ons 5 feb 2014 09:43:52, Patrik Båt wrote:
                        >> On ons 5 feb 2014 09:17:57, Patrik Båt wrote:
                        >>> On tis 4 feb 2014 15:42:04, Patrik Båt wrote:
                        >>>> On tis 4 feb 2014 15:36:34, Viktor Dukhovni wrote:
                        >>>>> On Tue, Feb 04, 2014 at 02:57:42PM +0100, Patrik B?t wrote:
                        >>>>>
                        >>>>>> When saslauthd crashes or beeing stopped, mails are bounced.
                        >>>>>> eg: 535 5.7.8 Error: authentication failed: generic failure
                        >>>>>>
                        >>>>>> Can I somehow change it to just defer?
                        >>>>>
                        >>>>> If you have a dedicated submission/relay service to which *all*
                        >>>>> clients must authenticate, then you can set the restrictions to
                        >>>>> "defer" after allowing authenticated users.
                        >>>>>
                        >>>>> main.cf:
                        >>>>> # Postfix >= 2.10 variant (uncomment below and comment-out variant for
                        >>>>> # earlier versions.
                        >>>>> #
                        >>>>> #submission_relay_restrictions = permit_sasl_authenticated, defer
                        >>>>> #submission_recipient_restrictions =
                        >>>>>
                        >>>>> # Earlier versions variant
                        >>>>> #
                        >>>>> submission_recipient_restrictions = permit_sasl_authenticated, defer
                        >>>>>
                        >>>>> master.cf:
                        >>>>> # Replace "submission" with appropriate IP:port as required.
                        >>>>> # Replace "submission" with appropriate IP:port as required.
                        >>>>> submission inet n ... smtpd
                        >>>>> -o smtpd_client_restrictions=
                        >>>>> -o smtpd_helo_restrictions=
                        >>>>> -o smtpd_sender_restrictions=
                        >>>>> # Uncomment with Postfix >= 2.10
                        >>>>> # -o smtpd_relay_restrictions=$submission_relay_restrictions
                        >>>>> -o smtpd_recipient_restrictions=$submission_recipient_restrictions
                        >>>>> -o smtpd_data_restrictions=
                        >>>>> -o smtpd_end_of_data_restrictions=
                        >>>>> ...
                        >>>>>
                        >>>>> Do not do this on any SMTP listener that also handles inbound mail
                        >>>>> (i.e. port 25 MX host for your domain) and thus cannot enforce authentication
                        >>>>> for all clients.
                        >>>>>
                        >>>>
                        >>>> Thanks alot Victor!
                        >>>>
                        >>>> I've done this tho, but it wasn't working, so I have restrictions
                        >>>> somewhere else also, so i need to figur that out, but then my
                        >>>> conclusion wasn't that off :)
                        >>>>
                        >>>
                        >>> Hmm, Victor are you sure this works?
                        >>> I'm running postfix version 2.9.6 on Debian Wheezy.
                        >>>
                        >>
                        >> I think there is no option to change this atm :P
                        >>
                        >> eg: (line 314 in postfix-2.9.6/src/smtpd/smtpd_sasl_glue.c)
                        >>
                        >> if (status != XSASL_AUTH_DONE) {
                        >> msg_warn("%s: SASL %s authentication failed: %s",
                        >> state->namaddr, sasl_method,
                        >> STR(state->sasl_reply));
                        >> /* RFC 4954 Section 6. */
                        >> smtpd_chat_reply(state, "535 5.7.8 Error: authentication
                        >> failed: %s",
                        >> STR(state->sasl_reply));
                        >> return (-1);
                        >> }
                        >>
                        >
                        > from RFC:
                        > 535 5.7.8 Authentication credentials invalid
                        >
                        > This response to the AUTH command indicates that the authentication
                        > failed due to invalid or insufficient authentication credentials. In
                        > this case, the client SHOULD ask the user to supply new credentials
                        > (such as by presenting a password dialog box).
                        >
                        >
                        > But if sasl auth daemon is not working prop. or is down i rather see
                        > this:
                        >
                        > 454 4.7.0 Temporary authentication failure
                        >
                        > This response to the AUTH command indicates that the authentication
                        > failed due to a temporary server failure. The client SHOULD NOT
                        > prompt the user for another password in this case, and should instead
                        > notify the user of server failure.
                        >
                        >
                        > Anyone agrees ?
                        >

                        Maybe check that SASL give a respons, and if not just tmp fail it. or
                        someother check.

                        --- ../../../postfix-2.9.6/src/smtpd/smtpd_sasl_glue.c 2011-12-18
                        19:03:44.000000000 +0100
                        +++ smtpd_sasl_glue.c 2014-02-05 09:59:29.893752433 +0100
                        @@ -316,8 +316,13 @@
                        state->namaddr, sasl_method,
                        STR(state->sasl_reply));
                        /* RFC 4954 Section 6. */
                        - smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s",
                        - STR(state->sasl_reply));
                        + if (state->sasl_reply != NULL) {
                        + smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s",
                        + STR(state->sasl_reply));
                        + }
                        + else {
                        + smtpd_chat_reply(state, "454 4.7.0 Temporary authentication
                        failure");
                        + }
                        return (-1);
                        }
                        /* RFC 4954 Section 6. */
                      • Viktor Dukhovni
                        ... Setting restrictions to permit_sasl_authenticated, defer works when clients don t attempt to authenticate. If a client attempts to authenticate and
                        Message 11 of 13 , Feb 5, 2014
                        • 0 Attachment
                          On Wed, Feb 05, 2014 at 09:50:32AM +0100, Patrik B?t wrote:

                          > >> Hmm, Victor are you sure this works?

                          Setting restrictions to "permit_sasl_authenticated, defer" works
                          when clients don't attempt to authenticate. If a client attempts
                          to authenticate and fails, the client will not send the message.
                          Whether it tries again later is up to the client.

                          If the client is Postfix >= 2.5, it will typically defer delivery:

                          http://www.postfix.org/postconf.5.html#smtp_sasl_auth_soft_bounce

                          > But if sasl auth daemon is not working prop. or is down i rather see
                          > this:
                          >
                          > 454 4.7.0 Temporary authentication failure

                          Postfix does not have a good to determine whether the SASL library
                          error is transient or not. The Cyrus SASL API has many error
                          conditions, there is mention of SASL_TRYAGAIN in the sasl_errors(3)
                          manpage, but it is not clear which classes of problems that covers.
                          In any case, the Postfix "xsasl" abstraction layer does not currently
                          any mechanism to report transient errors.

                          #define XSASL_AUTH_OK 1 /* Success */
                          #define XSASL_AUTH_MORE 2 /* Need another c/s protocol exchange */
                          #define XSASL_AUTH_DONE 3 /* Authentication completed */
                          #define XSASL_AUTH_FORM 4 /* Cannot decode response */
                          #define XSASL_AUTH_FAIL 5 /* Error */

                          --
                          Viktor.
                        • Viktor Dukhovni
                          ... The proposed patch is incorrect. Please reply on-list only.
                          Message 12 of 13 , Feb 5, 2014
                          • 0 Attachment
                            On Wed, Feb 05, 2014 at 10:01:15AM +0100, Patrik B?t wrote:

                            > Maybe check that SASL give a respons, and if not just tmp fail it. or
                            > someother check.

                            The proposed patch is incorrect. Please reply on-list only.

                            > --- ../../../postfix-2.9.6/src/smtpd/smtpd_sasl_glue.c 2011-12-18
                            > 19:03:44.000000000 +0100
                            > +++ smtpd_sasl_glue.c 2014-02-05 09:59:29.893752433 +0100
                            > @@ -316,8 +316,13 @@
                            > state->namaddr, sasl_method,
                            > STR(state->sasl_reply));
                            > /* RFC 4954 Section 6. */
                            > - smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s",
                            > - STR(state->sasl_reply));
                            > + if (state->sasl_reply != NULL) {
                            > + smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s",
                            > + STR(state->sasl_reply));
                            > + }
                            > + else {
                            > + smtpd_chat_reply(state, "454 4.7.0 Temporary authentication
                            > failure");
                            > + }
                            > return (-1);
                            > }
                            > /* RFC 4954 Section 6. */
                          • Patrik Båt
                            ... Sorry for the reply all action, Im just so used to do it. About the patch, i will look someday more into this SASL, so for now just ignore the patch!
                            Message 13 of 13 , Feb 5, 2014
                            • 0 Attachment
                              On ons 5 feb 2014 16:40:15, Viktor Dukhovni wrote:
                              > On Wed, Feb 05, 2014 at 10:01:15AM +0100, Patrik B?t wrote:
                              >
                              >> Maybe check that SASL give a respons, and if not just tmp fail it. or
                              >> someother check.
                              >
                              > The proposed patch is incorrect. Please reply on-list only.
                              >
                              >> --- ../../../postfix-2.9.6/src/smtpd/smtpd_sasl_glue.c 2011-12-18
                              >> 19:03:44.000000000 +0100
                              >> +++ smtpd_sasl_glue.c 2014-02-05 09:59:29.893752433 +0100
                              >> @@ -316,8 +316,13 @@
                              >> state->namaddr, sasl_method,
                              >> STR(state->sasl_reply));
                              >> /* RFC 4954 Section 6. */
                              >> - smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s",
                              >> - STR(state->sasl_reply));
                              >> + if (state->sasl_reply != NULL) {
                              >> + smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s",
                              >> + STR(state->sasl_reply));
                              >> + }
                              >> + else {
                              >> + smtpd_chat_reply(state, "454 4.7.0 Temporary authentication
                              >> failure");
                              >> + }
                              >> return (-1);
                              >> }
                              >> /* RFC 4954 Section 6. */
                              >
                              >

                              Sorry for the "reply all" action, Im just so used to do it.

                              About the patch, i will look someday more into this SASL, so for now
                              just ignore the patch!
                            Your message has been successfully submitted and would be delivered to recipients shortly.