291749Re: question re. sasl authentication
- Mar 3, 2013* Miles Fidelman <mfidelman@...>:
> Hi Folks,saslauthd may use a cache. Maybe the cache was active and saslauthd didn't
> I just had a users' password compromised - with the result that a
> bunch of spam was sent through her account. (Fixed by changing her
> But, in the process, I had to learn a lot about how Postfix wires
> together with Cyrus SASL, and that in turn with PAM. I discovered
> something that confuses me, and I hope someone can help:
> - our system is set up to authenticate smtpd transactions via
> saslauthd (and then to pam_unix to the password db)
> - as soon as I changed the user's password, IMAP started failing
> authentication and the password had to be changed, BUT...
> - we could still SEND mail via smtpd using either
> username/newpassword or username/oldpassword
notice the old pass had been changed.
> - eventually this timed out and the old password stopped workingThe cache expired.
> - obviously the old password was being cached somewhere, mysmptd is 'dumb' in terms of authentication. It doesn't authenticate itself,
> assumption being in the saslauthd credentials cache, BUT, that
> doesn't explain why smtpd continued to accept the old password for a
but completely relues on Cyrus SASL to take care of that.
> Which leads to several questions:It will for the smtp SMTP client, but not for the smtpd SMTPD server. All
> - the general one: anybody know what's going on?
> - is postfix doing some of its own authentication caching (as
> suggested by the variable smtp_sasl_auth_cache_time)
options that start with smtp_ apply to the smtp_-client.
> - and most important: is there a way to flush the cache?Restart saslauthd?
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich
- << Previous post in topic Next post in topic >>