On Wed, Feb 05, 2014 at 09:50:32AM +0100, Patrik B?t wrote:
> >> Hmm, Victor are you sure this works?
Setting restrictions to "permit_sasl_authenticated, defer" works
when clients don't attempt to authenticate. If a client attempts
to authenticate and fails, the client will not send the message.
Whether it tries again later is up to the client.
If the client is Postfix >= 2.5, it will typically defer delivery:
http://www.postfix.org/postconf.5.html#smtp_sasl_auth_soft_bounce
> But if sasl auth daemon is not working prop. or is down i rather see
> this:
>
> 454 4.7.0 Temporary authentication failure
Postfix does not have a good to determine whether the SASL library
error is transient or not. The Cyrus SASL API has many error
conditions, there is mention of SASL_TRYAGAIN in the sasl_errors(3)
manpage, but it is not clear which classes of problems that covers.
In any case, the Postfix "xsasl" abstraction layer does not currently
any mechanism to report transient errors.
#define XSASL_AUTH_OK 1 /* Success */
#define XSASL_AUTH_MORE 2 /* Need another c/s protocol exchange */
#define XSASL_AUTH_DONE 3 /* Authentication completed */
#define XSASL_AUTH_FORM 4 /* Cannot decode response */
#define XSASL_AUTH_FAIL 5 /* Error */
--
Viktor.
