On 27 Mar 2015, at 13:21, Edgaras Lukoševičius edgaras.lukosevicius@gmail.com wrote:
Hello,
is it possible to configure configure haproxy to work with postfix sasl and dovecot auth like this:
clients -> 25:postfix -> 20025:haproxy -> 20025:auth-backend-1, 20025:auth-backend-2
The configuration I have now gives me this error randomly: 535 5.7.8 Error: authentication failed: Connection lost to authentication server
This is probably because haproxy change servers while session is still active (postfix sasl don’t establish new connection to auth service every time new auth request arrives)
Note that haproxy is between postfix and dovecot and is not facing clients directly, so there is no way to keep persistent connections by client ip.
There's nothing Dovecot can do about it, because the error handling is in Postfix code. Although I suppose Dovecot-auth could drop the connection itself, but that would still cause random problems if Postfix was just about to authenticate using that connection. Postfix could in theory handle a dropped auth connection by reconnecting and retrying, although maybe still logging a warning. That doesn't work perfectly for all SASL mechanisms though. Does haproxy disconnect completely randomly or only after the connection has existed for n minutes? Maybe having a Postfix setting for "max time for auth connection existence before reconnect" would work too if it was set lower than haproxy's connection timeout. But yeah, in any case it would need Postfix code changes.
As for recommending IMAP authentication (whether via Cyrus or via Dovecot imapc): It would work of course, but I wouldn't want to use it myself. It causes extra confusion in logs because you now need to separate out the SMTP-auth-IMAP-logins from regular IMAP-logins (assuming you care about that at all). IMAP login is also much more expensive than a simple authentication check.