Hello,
is it possible to configure configure haproxy to work with postfix sasl and dovecot auth like this:
clients -> 25:postfix -> 20025:haproxy -> 20025:auth-backend-1, 20025:auth-backend-2
The configuration I have now gives me this error randomly: 535 5.7.8 Error: authentication failed: Connection lost to authentication server
This is probably because haproxy change servers while session is still active (postfix sasl don’t establish new connection to auth service every time new auth request arrives)
Note that haproxy is between postfix and dovecot and is not facing clients directly, so there is no way to keep persistent connections by client ip.
# POSTFIX smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_exceptions_networks = smtpd_sasl_local_domain = smtpd_sasl_path = inet:127.0.0.1:20025 smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot
# HAPROX frontend postfix-sasl bind 127.0.0.1:20025 default_backend dovecot-auth
backend dovecot-auth mode tcp option tcplog option srvtcpka hash-type consistent
balance roundrobin
server mail-backend-1 31.220.19.52:20025 check
server mail-backend-2 31.220.19.53:20025 checkEdgaras Lukoševičius skrev den 2015-03-27 12:21:
is it possible to configure configure haproxy to work with postfix sasl and dovecot auth like this:
clients -> 25:postfix -> 20025:haproxy -> 20025:auth-backend-1, 20025:auth-backend-2
configure cyrus-sasl as a remote imap client is more simple
if imap hostname is dns round robin it would be ha-avail already
keep postfix simple
Can’t dovecot authenticate against imap?
What I need is to make smtp authentication balanced and keep everything in backend (private network)
On 27 Mar 2015, at 13:29, Benny Pedersen me@junc.eu wrote:
Edgaras Lukoševičius skrev den 2015-03-27 12:21:
is it possible to configure configure haproxy to work with postfix sasl and dovecot auth like this: clients -> 25:postfix -> 20025:haproxy -> 20025:auth-backend-1, 20025:auth-backend-2
configure cyrus-sasl as a remote imap client is more simple
if imap hostname is dns round robin it would be ha-avail already
keep postfix simple
Edgaras Lukoševičius skrev den 2015-03-27 14:34:
Can’t dovecot authenticate against imap?
will it be trusted ?
What I need is to make smtp authentication balanced and keep everything in backend (private network)
dovecot is not a smtp server, thats why i say cyrus-sasl
yes cyrus-sasl is ha-awail with rimap, but there is a minor problem with it, haproxy and rimap have both the same problem to connect to one ip that times out before the next ip is used, haproxy does imho not solve this better then rimap
I don’t want to allow public network facing servers to be able to reach passwords database. And I want to segregate roles of the servers. If I will setup dovecot locally I will still have to provide it access to database (eg. /etc/dovecot/dovecot-sql.conf.ext).
On 27 Mar 2015, at 15:49, Benny Pedersen me@junc.eu wrote:
Edgaras Lukoševičius skrev den 2015-03-27 14:34:
Can’t dovecot authenticate against imap?
will it be trusted ?
What I need is to make smtp authentication balanced and keep everything in backend (private network)
dovecot is not a smtp server, thats why i say cyrus-sasl
yes cyrus-sasl is ha-awail with rimap, but there is a minor problem with it, haproxy and rimap have both the same problem to connect to one ip that times out before the next ip is used, haproxy does imho not solve this better then rimap
Edgaras Lukoševičius skrev den 2015-03-27 14:58:
I don’t want to allow public network facing servers to be able to reach passwords database. And I want to segregate roles of the servers.
If I will setup dovecot locally I will still have to provide it access to database (eg. /etc/dovecot/dovecot-sql.conf.ext).
did you read cyrus-sasl docs ?
it can read auth from sql, so no need for dovecot there
I will install cyrus-sasl and see how it goes.
Anyway, it would be nice to have same features (authentication agains imap) in dovecot.
On 27 Mar 2015, at 16:27, Benny Pedersen me@junc.eu wrote:
Edgaras Lukoševičius skrev den 2015-03-27 14:58:
I don’t want to allow public network facing servers to be able to reach passwords database. And I want to segregate roles of the servers.
If I will setup dovecot locally I will still have to provide it access to database (eg. /etc/dovecot/dovecot-sql.conf.ext).
did you read cyrus-sasl docs ?
it can read auth from sql, so no need for dovecot there
On 03/27/2015 11:00 AM, Edgaras Lukoševičius wrote:
Anyway, it would be nice to have same features (authentication agains imap) in dovecot. Check this out http://wiki2.dovecot.org/PasswordDatabase/IMAP
Gedalya skrev den 2015-03-27 16:03:
On 03/27/2015 11:00 AM, Edgaras Lukoševičius wrote:
Anyway, it would be nice to have same features (authentication agains imap) in dovecot. Check this out http://wiki2.dovecot.org/PasswordDatabase/IMAP
this is when one dovecot need to have auth from another dovecot auth master backend, not when postfix need to have authed users on remote
imho there says postfix in subject ?
On 03/27/2015 11:14 AM, Benny Pedersen wrote:
Gedalya skrev den 2015-03-27 16:03:
On 03/27/2015 11:00 AM, Edgaras Lukoševičius wrote:
Anyway, it would be nice to have same features (authentication agains imap) in dovecot. Check this out http://wiki2.dovecot.org/PasswordDatabase/IMAP
this is when one dovecot need to have auth from another dovecot auth master backend, not when postfix need to have authed users on remote
In that case you should kindly update the Wiki page to say that.
Are you a cyrus developer ir what? :D 2015 kov. 27 17:10 "Benny Pedersen" me@junc.eu rašė:
Edgaras Lukoševičius skrev den 2015-03-27 16:00:
I will install cyrus-sasl and see how it goes.
+1
Anyway, it would be nice to have same features (authentication agains
imap) in dovecot.
read more docs in cyrus-sasl, did i say rimap ? :=)
Edgaras Lukoševičius skrev den 2015-03-27 20:34:
Are you a cyrus developer ir what? :D
thanks for asking :)
just used cyrus-sasl with sql long time ago, when i runned courier-imap and postfix lda with openwisp admin, fork of postfixadmin, while coded a bit of policyd v1, sadly no one use policyd v1 anymore :(
if it works now i am happy that you now finaly got it
Am 27.03.2015 um 14:49 schrieb Benny Pedersen:
What I need is to make smtp authentication balanced and keep everything in backend (private network)
dovecot is not a smtp server, thats why i say cyrus-sasl
jesus christ keep your smart-ass responses for yourself http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
Once upon a time, Edgaras Lukoševičius edgaras.lukosevicius@gmail.com said:
What I need is to make smtp authentication balanced and keep everything in backend (private network)
If you have more than one Postfix server, each one must talk to its own private Dovecot server for auth. The Dovecot auth protocol includes a client (Postfix) assigned ID, and Postfix uses the process ID. If you have multiple Postfix servers talking to one Dovecot server, you'll get ID conflicts and dropped auths.
I ended up putting a local instance of Dovecot on each Postfix server, with no protcols configured except for auth. Not quite as HA, but I have my monitoring system doing SMTP AUTH (never have had a problem with the setup); you could probably have HAProxy do it as well (IIRC it can do some basic expect-style send/receive).
-- Chris Adams cma@cmadams.net
Hello,
is it possible to configure configure haproxy to work with postfix sasl and dovecot auth like this:
clients -> 25:postfix -> 20025:haproxy -> 20025:auth-backend-1, 20025:auth-backend-2 Why don't you set up a dovecot locally (with only auth service) on each
On 03/27/2015 07:21 AM, Edgaras Lukoševičius wrote: postfix box?
Gedalya skrev den 2015-03-27 14:48:
is it possible to configure configure haproxy to work with postfix sasl and dovecot auth like this: clients -> 25:postfix -> 20025:haproxy -> 20025:auth-backend-1, 20025:auth-backend-2 Why don't you set up a dovecot locally (with only auth service) on each postfix box?
cyrus-sasl is still needed, and dovecot will be overkill just for auth client
Am 27.03.2015 um 15:04 schrieb Benny Pedersen:
Gedalya skrev den 2015-03-27 14:48:
is it possible to configure configure haproxy to work with postfix sasl and dovecot auth like this: clients -> 25:postfix -> 20025:haproxy -> 20025:auth-backend-1, 20025:auth-backend-2 Why don't you set up a dovecot locally (with only auth service) on each postfix box?
cyrus-sasl is still needed
bullshit and to be honest nobody right in his mind aware of the capabilities configures cyrus-sasl on a server where postfix and dovecot are running already instead just use one common auth layer for incoming and outgoing mail supporting the same mechs and configuration
http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
# configure backend for postfix sasl-auth service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } }
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
On 27 Mar 2015, at 13:21, Edgaras Lukoševičius edgaras.lukosevicius@gmail.com wrote:
Hello,
is it possible to configure configure haproxy to work with postfix sasl and dovecot auth like this:
clients -> 25:postfix -> 20025:haproxy -> 20025:auth-backend-1, 20025:auth-backend-2
The configuration I have now gives me this error randomly: 535 5.7.8 Error: authentication failed: Connection lost to authentication server
This is probably because haproxy change servers while session is still active (postfix sasl don’t establish new connection to auth service every time new auth request arrives)
Note that haproxy is between postfix and dovecot and is not facing clients directly, so there is no way to keep persistent connections by client ip.
There's nothing Dovecot can do about it, because the error handling is in Postfix code. Although I suppose Dovecot-auth could drop the connection itself, but that would still cause random problems if Postfix was just about to authenticate using that connection. Postfix could in theory handle a dropped auth connection by reconnecting and retrying, although maybe still logging a warning. That doesn't work perfectly for all SASL mechanisms though. Does haproxy disconnect completely randomly or only after the connection has existed for n minutes? Maybe having a Postfix setting for "max time for auth connection existence before reconnect" would work too if it was set lower than haproxy's connection timeout. But yeah, in any case it would need Postfix code changes.
As for recommending IMAP authentication (whether via Cyrus or via Dovecot imapc): It would work of course, but I wouldn't want to use it myself. It causes extra confusion in logs because you now need to separate out the SMTP-auth-IMAP-logins from regular IMAP-logins (assuming you care about that at all). IMAP login is also much more expensive than a simple authentication check.
participants (6)
-
Benny Pedersen
-
Chris Adams
-
Edgaras Lukoševičius
-
Gedalya
-
Reindl Harald
-
Timo Sirainen