dovecot - Oct 2015 - Haproxy and Dovecot auth

Hi all,

I'd like to use Haproxy to balance an auth service on a couple of
Dovecot directors to have a redundant sasl service for my Postfix instances.
While I configure the Postfixes to use, as smtpd_sasl_path, a direct
connection to one of the directors I notice no errors.
When I redirect the smtpd_sasl_path through an Haproxy balanced
connection, I receive an error the first time I try to sen an email.
The error is:
SASL PLAIN authentication failed: Connection lost to authentication server
If then I send more emails I receive no errors.
If I do not send emails for a few minutes, the error appears again.

The relevant Haproxy configuration is the following:

listen auth *:12345
      mode tcp
      balance source
      log global
      option tcplog
      option log-health-checks
      stick-table type ip size 200k expire 30m
      stick on src
      default-server inter 1000 fall 3 rise 1
      server dovecot-director01 dovecot-director01:12345 check

Do anyone have an idea about what it's missing?

Thanks a lot
Giuseppe

-- 
Giuseppe Civitella
gcivitella at entermail.it

On 15 Oct 2015, at 20:26, Giuseppe Civitella <gcivitella at entermail.it>
wrote:
> When I redirect the smtpd_sasl_path through an Haproxy balanced
> connection, I receive an error the first time I try to sen an email.
> The error is:
> SASL PLAIN authentication failed: Connection lost to authentication server
> If then I send more emails I receive no errors.
> If I do not send emails for a few minutes, the error appears again.
We?ve seen this happen as well, and concluded that this is caused by the Postfix
SASL client not recovering gracefully from lost TCP connections. If I remember
correctly, Postfix keeps a SASL authentication connection open for re-use, but
when this connection breaks down (e.g. due to a time out in the TCP connection
itself or due to Dovecot closing it on the other end due to inactivity) then the
next/first authentication attempt fails. Postfix will then not handle this error
as a temporary failure, but as an authentication failure (i.e. ?wrong
username/password?). After this, it will close the connection and the next
authentication attempt will re-establish the connection, and that will of course
succeed again.

This explains why you get this error only the first time (because it failed due
to the old/broken cnnection) and why after a few minutes the error appears again
(because by then the connection is stale again).

Now, I haven?t actually confirmed this, but I?m pretty sure the problem is in
the Dovecot SASL client in Postfix. It is written with the assumption that the
connection is over a UNIX socket. In those cases a broken connection is detected
earlier/differently (EPIPE) and Postfix will actually recover by reconnecting
and trying again. You might be able to confirm and possibly work around this
issue by forwarding UNIX socket connections to TCP, with tools like socat,
netcat, spiped etc.

-Arjan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20151026/16210138/attachment.sig>