When using dovecot (2.1.5) sasl with postfix (2.8.4) behind nginx smtp proxy I am seeing a ton of errors of the form:

postfix/smtpd[7731]: warning: unknown[192.168.0.6]: SASL LOGIN authentication failed: Connection lost to authentication server

Nothing is printed by dovecot in the logs regarding the error. It seems that dovecot just hung up on postfix. (side note: no, can't use xclient in nginx/postfix. But perhaps soon.)

After much digging I thought I solved it with:

login_trusted_networks = 172.20.20.0/24 mail_max_userip_connections = 0

This seems safe enough because dovecot is only providing sasl to postfix, no connections to the outside world.

But the error is still happening.

# doveadm penalty IP penalty last_penalty last_update 172.20.20.61 1 2012-04-30 19:15:56 19:15:56

strace on the anvil process shows a lot of GETs and INCs:

18:54:06 read(14, "PENALTY-GET\t172.20.20.61\n", 397) = 25 <0.000016> 18:54:06 write(14, "1 1335837245\n", 13) = 13 <0.000029>

A two minute survey showed penalty distribution:

0: 60% 1: 15% 2: 18% 3: 8%

Finally I just disabled penalties with the info from

http://www.dovecot.org/list/dovecot/2011-December/062631.html

and that seemed to do it. Is there a better way?

This took me a long time to run down so I tried to make this message detailed enough that others with similar problems will stumble upon it.