Symptoms
Authentication works only on the first qmail server in a cluster after POA 5.4.13 installation. Below is an example of a successful login:
# telnet mta1.provider.com 110
Trying 10.39.84.21...
Connected to 10.39.84.21.
Escape character is '^]'.
+OK Hello there.
user qmailbox@customer.com
+OK Password required.
pass xxxxxx
+OK logged in.
On all other qmail servers in the cluster except for the first one authentication fails like in the example below:
# telnet mta2.provider.com 110
Trying 10.39.84.22...
Connected to 10.39.84.22.
Escape character is '^]'.
+OK Hello there.
user qmailbox@customer.com
+OK Password required.
pass xxxxxx
-ERR Login failed.
As a result, all customers who are directed by the load balancer away from the first qmail server in the cluster cannot log in to their mailboxes using mail clients. The problem affects webmail also.
Cause
POA 5.4.13 puts the IP address of only the first qmail server in the cluster in the /etc/openldap/schema/mail.access file which is included in the /etc/openldap/slapd.conf file on the LDAP server used by the qmail cluster. The LDAP server accepts requests only from servers listed in the mail.access file. As a result, only the first qmail server in the cluster can authenticate mail users.
Resolution
Add IP addresses of all qmail servers in the cluster and the IP address of the POA Management Node into the /etc/openldap/schema/mail.access file on the LDAP server like in the example below:
# Allow access only for the authorized admin user and for qmail hosts access to dn.subtree="ou=mail,dc=pem,dc=swsoft,dc=com" by peername.regex=127\.0\.0\.1 read by peername.regex=10\.39\.84\.20 read # POA Management Node by peername.regex=10\.39\.84\.21 read # qmail server #1 IP address by peername.regex=10\.39\.94\.21 read # qmail server #1 IP address by peername.regex=10\.39\.84\.22 read # qmail server #2 IP address by peername.regex=10\.39\.94\.22 read # qmail server #2 IP address by users none by * none
Restart
ldap
service on the LDAP server:/etc/init.d/ldap restart