Re: SASL defer rather then reject

Wed, 05 Feb 2014 00:45:28 -0800 

On ons  5 feb 2014 09:17:57, Patrik Båt wrote:
> On tis  4 feb 2014 15:42:04, Patrik Båt wrote:
>> On tis  4 feb 2014 15:36:34, Viktor Dukhovni wrote:
>>> On Tue, Feb 04, 2014 at 02:57:42PM +0100, Patrik B?t wrote:
>>>
>>>> When saslauthd crashes or beeing stopped, mails are bounced.
>>>> eg: 535 5.7.8 Error: authentication failed: generic failure
>>>>
>>>> Can I somehow change it to just defer?
>>>
>>> If you have a dedicated submission/relay service to which *all*
>>> clients must authenticate, then you can set the restrictions to
>>> "defer" after allowing authenticated users.
>>>
>>>     main.cf:
>>>     # Postfix >= 2.10 variant (uncomment below and comment-out variant for
>>>     # earlier versions.
>>>     #
>>>     #submission_relay_restrictions = permit_sasl_authenticated, defer
>>>     #submission_recipient_restrictions =
>>>
>>>     # Earlier versions variant
>>>     #
>>>     submission_recipient_restrictions = permit_sasl_authenticated, defer
>>>
>>>     master.cf:
>>>     # Replace "submission" with appropriate IP:port as required.
>>>     # Replace "submission" with appropriate IP:port as required.
>>>     submission inet n ... smtpd
>>>     -o smtpd_client_restrictions=
>>>     -o smtpd_helo_restrictions=
>>>     -o smtpd_sender_restrictions=
>>>     # Uncomment with Postfix >= 2.10
>>>     # -o smtpd_relay_restrictions=$submission_relay_restrictions
>>>     -o smtpd_recipient_restrictions=$submission_recipient_restrictions
>>>     -o smtpd_data_restrictions=
>>>     -o smtpd_end_of_data_restrictions=
>>>     ...
>>>
>>> Do not do this on any SMTP listener that also handles inbound mail
>>> (i.e. port 25 MX host for your domain) and thus cannot enforce 
>>> authentication
>>> for all clients.
>>>
>>
>> Thanks alot Victor!
>>
>> I've done this tho, but it wasn't working, so I have restrictions
>> somewhere else also, so i need to figur that out, but then my
>> conclusion wasn't that off :)
>>
>
> Hmm, Victor are you sure this works?
> I'm running postfix version 2.9.6 on Debian Wheezy.
>

I think there is no option to change this atm :P

eg: (line 314 in postfix-2.9.6/src/smtpd/smtpd_sasl_glue.c)

    if (status != XSASL_AUTH_DONE) {
        msg_warn("%s: SASL %s authentication failed: %s",
                 state->namaddr, sasl_method,
                 STR(state->sasl_reply));
        /* RFC 4954 Section 6. */
        smtpd_chat_reply(state, "535 5.7.8 Error: authentication 
failed: %s",
                         STR(state->sasl_reply));
        return (-1);
    }

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to