2

We're using Postfix with Dovecot and SASL Auth via Dovecot (based on this tutorial). All works like expected. But when Dovecot is down (i.e. for maintenance or other reasons) then clients could not authenticate at Postfix and Postfix rejects client requests because of smtpd_recipient_restrictions that follow after permit_sasl_authenticated.

Is there a ways to temporarily reject mails arriving at Postfix when Dovecot auth is down? Our postfix conf is:

smtpd_restriction_classes = check_sender_auth
check_sender_auth =
   reject_authenticated_sender_login_mismatch,
   permit_sasl_authenticated,
   reject
smtpd_recipient_restrictions =
   reject_invalid_helo_hostname,
   reject_non_fqdn_recipient,
   check_sender_access mysql:/etc/postfix/check_sender_domains,
   reject_non_fqdn_helo_hostname,
   [...]

check_sender_domains is a lookup table which return check_sender_auth for sender address claiming to be from us.

rabudde
  • 304
  • 5
  • 22

1 Answers1

5

You could change the reject_code for your submission listener to 450, so it is not a permanent reject but a defer. 

check_sender_auth =
   defer_if_reject 
   reject_authenticated_sender_login_mismatch,
   permit_sasl_authenticated,
   reject

See http://www.postfix.org/postconf.5.html#defer_if_reject for details.

Unfortunately, this is not simple to update when "dovecot goes down", which I admit has me puzzled; why does dovecot go down ?

If you experience outages due to dovecot maintenance, you should invest effort into not needing maintenance outages on dovecot.

Dovecot can run HA quite well; you could trivially run a secondary instance only for SASL (no IMAP services) on another box.

adaptr
  • 16,576
  • 23
  • 34
  • when asking my question, I just realized, that it has to do something with `reject` after `permit_sasl_authenticated`. I like the 5xx reject, because senders claiming to be from us would be rejected the hard way. But I believe you're right. I'll give a try to a 4xx code and give feedback – rabudde Jul 26 '12 at 13:20