On ons 5 feb 2014 09:50:32, Patrik Båt wrote:
> On ons 5 feb 2014 09:43:52, Patrik Båt wrote:
>> On ons 5 feb 2014 09:17:57, Patrik Båt wrote:
>>> On tis 4 feb 2014 15:42:04, Patrik Båt wrote:
>>>> On tis 4 feb 2014 15:36:34, Viktor Dukhovni wrote:
>>>>> On Tue, Feb 04, 2014 at 02:57:42PM +0100, Patrik B?t wrote:
>>>>>
>>>>>> When saslauthd crashes or beeing stopped, mails are bounced.
>>>>>> eg: 535 5.7.8 Error: authentication failed: generic failure
>>>>>>
>>>>>> Can I somehow change it to just defer?
>>>>>
>>>>> If you have a dedicated submission/relay service to which *all*
>>>>> clients must authenticate, then you can set the restrictions to
>>>>> "defer" after allowing authenticated users.
>>>>>
>>>>> main.cf:
>>>>> # Postfix >= 2.10 variant (uncomment below and comment-out variant for
>>>>> # earlier versions.
>>>>> #
>>>>> #submission_relay_restrictions = permit_sasl_authenticated, defer
>>>>> #submission_recipient_restrictions =
>>>>>
>>>>> # Earlier versions variant
>>>>> #
>>>>> submission_recipient_restrictions = permit_sasl_authenticated, defer
>>>>>
>>>>> master.cf:
>>>>> # Replace "submission" with appropriate IP:port as required.
>>>>> # Replace "submission" with appropriate IP:port as required.
>>>>> submission inet n ... smtpd
>>>>> -o smtpd_client_restrictions=
>>>>> -o smtpd_helo_restrictions=
>>>>> -o smtpd_sender_restrictions=
>>>>> # Uncomment with Postfix >= 2.10
>>>>> # -o smtpd_relay_restrictions=$submission_relay_restrictions
>>>>> -o smtpd_recipient_restrictions=$submission_recipient_restrictions
>>>>> -o smtpd_data_restrictions=
>>>>> -o smtpd_end_of_data_restrictions=
>>>>> ...
>>>>>
>>>>> Do not do this on any SMTP listener that also handles inbound mail
>>>>> (i.e. port 25 MX host for your domain) and thus cannot enforce
>>>>> authentication
>>>>> for all clients.
>>>>>
>>>>
>>>> Thanks alot Victor!
>>>>
>>>> I've done this tho, but it wasn't working, so I have restrictions
>>>> somewhere else also, so i need to figur that out, but then my
>>>> conclusion wasn't that off :)
>>>>
>>>
>>> Hmm, Victor are you sure this works?
>>> I'm running postfix version 2.9.6 on Debian Wheezy.
>>>
>>
>> I think there is no option to change this atm :P
>>
>> eg: (line 314 in postfix-2.9.6/src/smtpd/smtpd_sasl_glue.c)
>>
>> if (status != XSASL_AUTH_DONE) {
>> msg_warn("%s: SASL %s authentication failed: %s",
>> state->namaddr, sasl_method,
>> STR(state->sasl_reply));
>> /* RFC 4954 Section 6. */
>> smtpd_chat_reply(state, "535 5.7.8 Error: authentication
>> failed: %s",
>> STR(state->sasl_reply));
>> return (-1);
>> }
>>
>
> from RFC:
> 535 5.7.8 Authentication credentials invalid
>
> This response to the AUTH command indicates that the authentication
> failed due to invalid or insufficient authentication credentials. In
> this case, the client SHOULD ask the user to supply new credentials
> (such as by presenting a password dialog box).
>
>
> But if sasl auth daemon is not working prop. or is down i rather see
> this:
>
> 454 4.7.0 Temporary authentication failure
>
> This response to the AUTH command indicates that the authentication
> failed due to a temporary server failure. The client SHOULD NOT
> prompt the user for another password in this case, and should instead
> notify the user of server failure.
>
>
> Anyone agrees ?
>
Maybe check that SASL give a respons, and if not just tmp fail it. or
someother check.
--- ../../../postfix-2.9.6/src/smtpd/smtpd_sasl_glue.c 2011-12-18
19:03:44.000000000 +0100
+++ smtpd_sasl_glue.c 2014-02-05 09:59:29.893752433 +0100
@@ -316,8 +316,13 @@
state->namaddr, sasl_method,
STR(state->sasl_reply));
/* RFC 4954 Section 6. */
- smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s",
- STR(state->sasl_reply));
+ if (state->sasl_reply != NULL) {
+ smtpd_chat_reply(state, "535 5.7.8 Error: authentication
failed: %s",
+ STR(state->sasl_reply));
+ }
+ else {
+ smtpd_chat_reply(state, "454 4.7.0 Temporary authentication
failure");
+ }
return (-1);
}
/* RFC 4954 Section 6. */
signature.asc
Description: OpenPGP digital signature
