David Jonas
2012-May-01 02:28 UTC
[Dovecot] dovecot sasl with postfix: SASL LOGIN authentication failed: Connection lost to authentication server
When using dovecot (2.1.5) sasl with postfix (2.8.4) behind nginx smtp proxy I am seeing a ton of errors of the form: postfix/smtpd[7731]: warning: unknown[192.168.0.6]: SASL LOGIN authentication failed: Connection lost to authentication server Nothing is printed by dovecot in the logs regarding the error. It seems that dovecot just hung up on postfix. (side note: no, can't use xclient in nginx/postfix. But perhaps soon.) After much digging I thought I solved it with: login_trusted_networks = 172.20.20.0/24 mail_max_userip_connections = 0 This seems safe enough because dovecot is only providing sasl to postfix, no connections to the outside world. But the error is still happening. # doveadm penalty IP penalty last_penalty last_update 172.20.20.61 1 2012-04-30 19:15:56 19:15:56 strace on the anvil process shows a lot of GETs and INCs: 18:54:06 read(14, "PENALTY-GET\t172.20.20.61\n", 397) = 25 <0.000016> 18:54:06 write(14, "1 1335837245\n", 13) = 13 <0.000029> A two minute survey showed penalty distribution: 0: 60% 1: 15% 2: 18% 3: 8% Finally I just disabled penalties with the info from http://www.dovecot.org/list/dovecot/2011-December/062631.html and that seemed to do it. Is there a better way? This took me a long time to run down so I tried to make this message detailed enough that others with similar problems will stumble upon it.
Timo Sirainen
2012-May-04 17:18 UTC
[Dovecot] dovecot sasl with postfix: SASL LOGIN authentication failed: Connection lost to authentication server
On 1.5.2012, at 5.28, David Jonas wrote:> When using dovecot (2.1.5) sasl with postfix (2.8.4) behind nginx smtp > proxy I am seeing a ton of errors of the form:..> Nothing is printed by dovecot in the logs regarding the error. It seems > that dovecot just hung up on postfix. (side note: no, can't use xclient > in nginx/postfix. But perhaps soon.)So nginx hides the client's IP.> Finally I just disabled penalties with the info from > > http://www.dovecot.org/list/dovecot/2011-December/062631.html > > and that seemed to do it. Is there a better way?Nope, other than enabling XCLIENT so Dovecot sees the clients' real IPs instead of nginx's.