On ons 5 feb 2014 09:43:52, Patrik Båt wrote:
> On ons 5 feb 2014 09:17:57, Patrik Båt wrote:
>> On tis 4 feb 2014 15:42:04, Patrik Båt wrote:
>>> On tis 4 feb 2014 15:36:34, Viktor Dukhovni wrote:
>>>> On Tue, Feb 04, 2014 at 02:57:42PM +0100, Patrik B?t wrote:
>>>>
>>>>> When saslauthd crashes or beeing stopped, mails are bounced.
>>>>> eg: 535 5.7.8 Error: authentication failed: generic failure
>>>>>
>>>>> Can I somehow change it to just defer?
>>>>
>>>> If you have a dedicated submission/relay service to which *all*
>>>> clients must authenticate, then you can set the restrictions to
>>>> "defer" after allowing authenticated users.
>>>>
>>>> main.cf:
>>>> # Postfix >= 2.10 variant (uncomment below and comment-out variant for
>>>> # earlier versions.
>>>> #
>>>> #submission_relay_restrictions = permit_sasl_authenticated, defer
>>>> #submission_recipient_restrictions =
>>>>
>>>> # Earlier versions variant
>>>> #
>>>> submission_recipient_restrictions = permit_sasl_authenticated, defer
>>>>
>>>> master.cf:
>>>> # Replace "submission" with appropriate IP:port as required.
>>>> # Replace "submission" with appropriate IP:port as required.
>>>> submission inet n ... smtpd
>>>> -o smtpd_client_restrictions=
>>>> -o smtpd_helo_restrictions=
>>>> -o smtpd_sender_restrictions=
>>>> # Uncomment with Postfix >= 2.10
>>>> # -o smtpd_relay_restrictions=$submission_relay_restrictions
>>>> -o smtpd_recipient_restrictions=$submission_recipient_restrictions
>>>> -o smtpd_data_restrictions=
>>>> -o smtpd_end_of_data_restrictions=
>>>> ...
>>>>
>>>> Do not do this on any SMTP listener that also handles inbound mail
>>>> (i.e. port 25 MX host for your domain) and thus cannot enforce
>>>> authentication
>>>> for all clients.
>>>>
>>>
>>> Thanks alot Victor!
>>>
>>> I've done this tho, but it wasn't working, so I have restrictions
>>> somewhere else also, so i need to figur that out, but then my
>>> conclusion wasn't that off :)
>>>
>>
>> Hmm, Victor are you sure this works?
>> I'm running postfix version 2.9.6 on Debian Wheezy.
>>
>
> I think there is no option to change this atm :P
>
> eg: (line 314 in postfix-2.9.6/src/smtpd/smtpd_sasl_glue.c)
>
> if (status != XSASL_AUTH_DONE) {
> msg_warn("%s: SASL %s authentication failed: %s",
> state->namaddr, sasl_method,
> STR(state->sasl_reply));
> /* RFC 4954 Section 6. */
> smtpd_chat_reply(state, "535 5.7.8 Error: authentication
> failed: %s",
> STR(state->sasl_reply));
> return (-1);
> }
>from RFC: 535 5.7.8 Authentication credentials invalid This response to the AUTH command indicates that the authentication failed due to invalid or insufficient authentication credentials. In this case, the client SHOULD ask the user to supply new credentials (such as by presenting a password dialog box). But if sasl auth daemon is not working prop. or is down i rather see this: 454 4.7.0 Temporary authentication failure This response to the AUTH command indicates that the authentication failed due to a temporary server failure. The client SHOULD NOT prompt the user for another password in this case, and should instead notify the user of server failure. Anyone agrees ?
signature.asc
Description: OpenPGP digital signature
