dovecot - Mar 2015 - postfix sasl -> haproxy -> dovecot auth

Hello,

is it possible to configure configure haproxy to work with postfix sasl and
dovecot auth like this:

clients -> 25:postfix -> 20025:haproxy -> 20025:auth-backend-1,
20025:auth-backend-2

The configuration I have now gives me this error randomly:
535 5.7.8 Error: authentication failed: Connection lost to authentication server

This is probably because haproxy change servers while session is still active
(postfix sasl don?t establish new connection to auth service every time new auth
request arrives)

Note that haproxy is between postfix and dovecot and is not facing clients
directly, so there is no way to keep persistent connections by client ip.


# POSTFIX
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks smtpd_sasl_local_domain smtpd_sasl_path =
inet:127.0.0.1:20025
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot


# HAPROX
frontend  postfix-sasl
    bind  127.0.0.1:20025
    default_backend             dovecot-auth

backend dovecot-auth
    mode tcp
    option tcplog
    option srvtcpka
    hash-type consistent

    balance roundrobin
    server  mail-backend-1 31.220.19.52:20025 check
    server  mail-backend-2 31.220.19.53:20025 check

Edgaras Luko?evi?ius skrev den 2015-03-27 12:21:
> is it possible to configure configure haproxy to work with postfix
> sasl and dovecot auth like this:
> 
> clients -> 25:postfix -> 20025:haproxy -> 20025:auth-backend-1,
> 20025:auth-backend-2
configure cyrus-sasl as a remote imap client is more simple

if imap hostname is dns round robin it would be ha-avail already

keep postfix simple

Can?t dovecot authenticate against imap?

What I need is to make smtp authentication balanced and keep everything in
backend (private network)


On 27 Mar 2015, at 13:29, Benny Pedersen <me at junc.eu> wrote:
> Edgaras Luko?evi?ius skrev den 2015-03-27 12:21:
> 
>> is it possible to configure configure haproxy to work with postfix
>> sasl and dovecot auth like this:
>> clients -> 25:postfix -> 20025:haproxy ->
20025:auth-backend-1,
>> 20025:auth-backend-2
> 
> configure cyrus-sasl as a remote imap client is more simple
> 
> if imap hostname is dns round robin it would be ha-avail already
> 
> keep postfix simple

On 03/27/2015 07:21 AM, Edgaras Luko?evi?ius wrote:
> Hello,
>
> is it possible to configure configure haproxy to work with postfix sasl and
dovecot auth like this:
>
> clients -> 25:postfix -> 20025:haproxy -> 20025:auth-backend-1,
20025:auth-backend-2
Why don't you set up a dovecot locally (with only auth service) on each 
postfix box?

Gedalya skrev den 2015-03-27 14:48:
>> is it possible to configure configure haproxy to work with postfix 
>> sasl and dovecot auth like this:
>> clients -> 25:postfix -> 20025:haproxy ->
20025:auth-backend-1,
>> 20025:auth-backend-2
> Why don't you set up a dovecot locally (with only auth service) on
> each postfix box?
cyrus-sasl is still needed, and dovecot will be overkill just for auth 
client

On 27 Mar 2015, at 13:21, Edgaras Luko?evi?ius <edgaras.lukosevicius at
gmail.com> wrote:
> 
> Hello,
> 
> is it possible to configure configure haproxy to work with postfix sasl and
dovecot auth like this:
> 
> clients -> 25:postfix -> 20025:haproxy -> 20025:auth-backend-1,
20025:auth-backend-2
> 
> The configuration I have now gives me this error randomly:
> 535 5.7.8 Error: authentication failed: Connection lost to authentication
server
> 
> This is probably because haproxy change servers while session is still
active (postfix sasl don?t establish new connection to auth service every time
new auth request arrives)
> 
> Note that haproxy is between postfix and dovecot and is not facing clients
directly, so there is no way to keep persistent connections by client ip.
There's nothing Dovecot can do about it, because the error handling is in
Postfix code. Although I suppose Dovecot-auth could drop the connection itself,
but that would still cause random problems if Postfix was just about to
authenticate using that connection. Postfix could in theory handle a dropped
auth connection by reconnecting and retrying, although maybe still logging a
warning. That doesn't work perfectly for all SASL mechanisms though. Does
haproxy disconnect completely randomly or only after the connection has existed
for n minutes? Maybe having a Postfix setting for "max time for auth
connection existence before reconnect" would work too if it was set lower
than haproxy's connection timeout. But yeah, in any case it would need
Postfix code changes.

As for recommending IMAP authentication (whether via Cyrus or via Dovecot
imapc): It would work of course, but I wouldn't want to use it myself. It
causes extra confusion in logs because you now need to separate out the
SMTP-auth-IMAP-logins from regular IMAP-logins (assuming you care about that at
all). IMAP login is also much more expensive than a simple authentication check.