On 15 Oct 2015, at 20:26, Giuseppe Civitella gcivitella@entermail.it wrote:

When I redirect the smtpd_sasl_path through an Haproxy balanced connection, I receive an error the first time I try to sen an email. The error is: SASL PLAIN authentication failed: Connection lost to authentication server If then I send more emails I receive no errors. If I do not send emails for a few minutes, the error appears again.

We’ve seen this happen as well, and concluded that this is caused by the Postfix SASL client not recovering gracefully from lost TCP connections. If I remember correctly, Postfix keeps a SASL authentication connection open for re-use, but when this connection breaks down (e.g. due to a time out in the TCP connection itself or due to Dovecot closing it on the other end due to inactivity) then the next/first authentication attempt fails. Postfix will then not handle this error as a temporary failure, but as an authentication failure (i.e. ‘wrong username/password’). After this, it will close the connection and the next authentication attempt will re-establish the connection, and that will of course succeed again.

This explains why you get this error only the first time (because it failed due to the old/broken cnnection) and why after a few minutes the error appears again (because by then the connection is stale again).

Now, I haven’t actually confirmed this, but I’m pretty sure the problem is in the Dovecot SASL client in Postfix. It is written with the assumption that the connection is over a UNIX socket. In those cases a broken connection is detected earlier/differently (EPIPE) and Postfix will actually recover by reconnecting and trying again. You might be able to confirm and possibly work around this issue by forwarding UNIX socket connections to TCP, with tools like socat, netcat, spiped etc.

-Arjan