[Dovecot] Question about SASL auth
I have recently upgraded from Dovecot 1.2.10 to 2.0.beta3.
I have Postfix 2.3.3 and use Dovecot to provide SASL auth for Postfix.
# dovecot -n # 2.0.beta3: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 2.6.18-8.1.14.el5 i686 CentOS release 5 (Final) auth_mechanisms = plain apop login auth_worker_max_count = 5 mail_location = mbox:~/Mail:INBOX=/var/spool/mail/%u mail_privileged_group = mail mbox_write_locks = fcntl dotlock passdb { args = /usr/local/etc/dovecot.passwd deny = no driver = passwd-file master = no pass = no } passdb { deny = no driver = pam master = no pass = no } protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } ssl_cert =
Since upgrading to 2.0.beta3 I have started seeing notices like
Mar 6 07:06:20 sbh16 postfix/smtpd[30273]: warning: SASL: Connect to private/auth failed: Resource temporarily unavailable Mar 6 07:06:20 sbh16 postfix/smtpd[30273]: fatal: no SASL authentication mechanisms
in my maillog. I don't see them too often (an average of about 2 occurences per day), and they seem to be related to spam or some kind of attack. I am able to send using SASL authentication from my own client OK.
The relevant postfix config settings are
smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot
Postfix and its configuration haven't changed from what I used with Dovecot 1.2.10.
With Dovecot 1.2.10, I rarely if ever saw these failures.
Is this a case of the socket being in use when another auth request arrives or is it something else? And if it is the socket in use, is there some change in 2.0.beta that would cause the socket to be busy longer?
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 8.3.2010, at 0.39, Mark Sapiro wrote:
Mar 6 07:06:20 sbh16 postfix/smtpd[30273]: warning: SASL: Connect to private/auth failed: Resource temporarily unavailable
A bug most likely. I fixed several related issues already, maybe it's gone in latest nightly snapshots? I should release beta4 soon..
On 3/7/2010 2:43 PM, Timo Sirainen wrote:
On 8.3.2010, at 0.39, Mark Sapiro wrote:
Mar 6 07:06:20 sbh16 postfix/smtpd[30273]: warning: SASL: Connect to private/auth failed: Resource temporarily unavailable
A bug most likely. I fixed several related issues already, maybe it's gone in latest nightly snapshots? I should release beta4 soon..
I have installed dovecot 2.0.beta4 plus the 3 additional Mercurial changes, and this is still occurring. See my post at http://dovecot.org/pipermail/dovecot/2010-March/047392.html for more detail on my configuration.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Tue, 2010-03-23 at 09:28 -0700, Mark Sapiro wrote:
Mar 6 07:06:20 sbh16 postfix/smtpd[30273]: warning: SASL: Connect to private/auth failed: Resource temporarily unavailable
What about Dovecot's logs? Do you see e.g.:
master: Warning: service(auth): process_limit reached, client connections are being dropped
How many imap/pop3/smtpd processes do you typically have?
Timo Sirainen wrote:
On Tue, 2010-03-23 at 09:28 -0700, Mark Sapiro wrote:
Mar 6 07:06:20 sbh16 postfix/smtpd[30273]: warning: SASL: Connect to private/auth failed: Resource temporarily unavailable
What about Dovecot's logs? Do you see e.g.:
master: Warning: service(auth): process_limit reached, client connections are being dropped
No, I see no such messages. The only recent messages from dovecot: master are from shutdowns and startups.
How many imap/pop3/smtpd processes do you typically have?
3 to 5 postfix smtpd listeners
I think the following is fairly typical for dovecot (it listens on pop3, pop3s, imap and imaps). I am essentially the only imap user and it would be rare to have two concurrent pop3 connections.
[root@sbh16 ~]# ps -fwA |grep [d]ovecot dovecot 2562 2913 0 18:56 ? 00:00:00 dovecot/auth root 2913 1 0 Mar22 ? 00:00:05 /usr/local/sbin/dovecot dovecot 2914 2913 0 Mar22 ? 00:00:01 dovecot/anvil root 2915 2913 0 Mar22 ? 00:00:02 dovecot/log root 5702 2913 0 21:01 ? 00:00:00 dovecot/auth -w root 18333 2913 0 07:23 ? 00:00:01 dovecot/config dovecot 18459 2913 0 07:28 ? 00:00:00 dovecot/imap-login dovecot 18460 2913 0 07:28 ? 00:00:00 dovecot/imap-login mark 18462 2913 0 07:28 ? 00:00:01 dovecot/imap gpc 18463 2913 0 07:28 ? 00:00:00 dovecot/imap dovecot 24840 2913 0 11:39 ? 00:00:00 dovecot/imap-login mark 24841 2913 0 11:39 ? 00:00:00 dovecot/imap [root@sbh16 ~]#
One curious thing I noticed
[root@sbh16 ~]# grep 16817 /var/log/maillog Mar 26 06:22:58 sbh16 postfix/smtpd[16817]: warning: SASL: Connect to private/auth failed: Resource temporarily unavailable Mar 26 06:22:58 sbh16 postfix/smtpd[16817]: fatal: no SASL authentication mechanisms Mar 26 06:22:59 sbh16 postfix/master[25437]: warning: process /usr/libexec/postfix/smtpd pid 16817 exit status 1 [root@sbh16 ~]#
I.e. the log goes back to March 21, and those 3 messages are the only occurrences of that postfix/smtpd PID. The same is true for other occurrences of the problem.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 27.3.2010, at 6.43, Mark Sapiro wrote:
Timo Sirainen wrote:
On Tue, 2010-03-23 at 09:28 -0700, Mark Sapiro wrote:
Mar 6 07:06:20 sbh16 postfix/smtpd[30273]: warning: SASL: Connect to private/auth failed: Resource temporarily unavailable
Ah, just realized. This should help: http://hg.dovecot.org/dovecot-2.0/rev/96496e1d3d12
Timo Sirainen wrote:
On 27.3.2010, at 6.43, Mark Sapiro wrote:
Timo Sirainen wrote:
=20 On Tue, 2010-03-23 at 09:28 -0700, Mark Sapiro wrote:
Mar 6 07:06:20 sbh16 postfix/smtpd[30273]: warning: SASL: Connect to private/auth failed: Resource temporarily unavailable
Ah, just realized. This should help: http://hg.dovecot.org/dovecot-2.0/rev/96496e1d3d12
Thanks Timo.
I applied both http://hg.dovecot.org/dovecot-2.0/rev/96496e1d3d12 and http://hg.dovecot.org/dovecot-2.0/rev/aefa279e2c70
I'll report back.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark Sapiro wrote:
Timo Sirainen wrote:
On 27.3.2010, at 6.43, Mark Sapiro wrote:
Timo Sirainen wrote:
=20 On Tue, 2010-03-23 at 09:28 -0700, Mark Sapiro wrote:
> Mar 6 07:06:20 sbh16 postfix/smtpd[30273]: warning: SASL: Connect to > private/auth failed: Resource temporarily unavailable
Ah, just realized. This should help: http://hg.dovecot.org/dovecot-2.0/rev/96496e1d3d12
Thanks Timo.
I applied both http://hg.dovecot.org/dovecot-2.0/rev/96496e1d3d12 and http://hg.dovecot.org/dovecot-2.0/rev/aefa279e2c70
I'll report back.
It's been over a week since I installed the above two patches and I have seen no more occurrences so I think the patches solved the problem.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Mark Sapiro
-
Timo Sirainen