From: Victor Duchovni (Victor.Duchovnimorganstanley.com)
Date: Thu Dec 11 2008 - 10:45:06 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Dec 11, 2008 at 10:14:30AM +0530, ram wrote:

> I use postfix 2.3 with cyrus-sasl for smtp-auth
>
> cyrus-sasl needs a restart every few hours ( they havent fixed the
> memory leaks )
>
> The problem is if saslauthd is momentarily unavailable , postfix cant
> (obviously) authenticate the smtp session.
> Postfix rejects the mail with a permanent failure. How do I change this
> to a 4xx error code so that the clients server would retry the mail

Do you which error (may need to attach a debugger to smtpd to test)
SASL returns for this failure?

#define SASL_CONTINUE 1 /* another step is needed in authentication */
#define SASL_OK 0 /* successful result */
#define SASL_FAIL -1 /* generic failure */
#define SASL_NOMEM -2 /* memory shortage failure */
#define SASL_BUFOVER -3 /* overflowed buffer */
#define SASL_NOMECH -4 /* mechanism not supported */
#define SASL_BADPROT -5 /* bad protocol / cancel */
#define SASL_NOTDONE -6 /* can't request info until later in exchange */
#define SASL_BADPARAM -7 /* invalid parameter supplied */
#define SASL_TRYAGAIN -8 /* transient failure (e.g., weak key) */
#define SASL_BADMAC -9 /* integrity check failed */
#define SASL_NOTINIT -12 /* SASL library not initialized */
#define SASL_BADSERV -10 /* server failed mutual authentication step */
#define SASL_WRONGMECH -11 /* mechanism doesn't support requested feature */
#define SASL_BADAUTH -13 /* authentication failure */
#define SASL_NOAUTHZ -14 /* authorization failure */
#define SASL_TOOWEAK -15 /* mechanism too weak for this user */
#define SASL_ENCRYPT -16 /* encryption needed to use mechanism */
#define SASL_TRANS -17 /* One time use of a plaintext password will
#define SASL_EXPIRED -18 /* passphrase expired, has to be reset */
#define SASL_DISABLED -19 /* account disabled */
#define SASL_NOUSER -20 /* user not found */
#define SASL_BADVERS -23 /* version mismatch with plug-in */
#define SASL_UNAVAIL -24 /* remote authentication server unavailable */
#define SASL_NOVERIFY -26 /* user exists, but no verifier for user */
#define SASL_PWLOCK -21 /* passphrase locked */
#define SASL_NOCHANGE -22 /* requested change was not needed */
#define SASL_WEAKPASS -27 /* passphrase is too weak for security policy */
#define SASL_NOUSERPASS -28 /* user supplied passwords not permitted */

You can put a break-point in xsasl_cyrus_server_auth_response() and look
at the sasl_status function argument (may need to single step one step
before it is placed into the right register). A negative value indicates
failure, I'd like to know which negative value is seen when saslauthd is
down.

Perhaps Postfix can detect the tempfail condition and respond accordingly.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]