Loading ...
Sorry, an error occurred while loading the content.

291749Re: question re. sasl authentication

Expand Messages
  • Patrick Ben Koetter
    Mar 3, 2013
    • 0 Attachment
      * Miles Fidelman <mfidelman@...>:
      > Hi Folks,
      >
      > I just had a users' password compromised - with the result that a
      > bunch of spam was sent through her account. (Fixed by changing her
      > password.)
      >
      > But, in the process, I had to learn a lot about how Postfix wires
      > together with Cyrus SASL, and that in turn with PAM. I discovered
      > something that confuses me, and I hope someone can help:
      >
      > - our system is set up to authenticate smtpd transactions via
      > saslauthd (and then to pam_unix to the password db)
      >
      > - as soon as I changed the user's password, IMAP started failing
      > authentication and the password had to be changed, BUT...
      >
      > - we could still SEND mail via smtpd using either
      > username/newpassword or username/oldpassword

      saslauthd may use a cache. Maybe the cache was active and saslauthd didn't
      notice the old pass had been changed.


      > - eventually this timed out and the old password stopped working

      The cache expired.

      > - obviously the old password was being cached somewhere, my
      > assumption being in the saslauthd credentials cache, BUT, that
      > doesn't explain why smtpd continued to accept the old password for a
      > while

      smptd is 'dumb' in terms of authentication. It doesn't authenticate itself,
      but completely relues on Cyrus SASL to take care of that.

      > Which leads to several questions:
      >
      > - the general one: anybody know what's going on?
      >
      > - is postfix doing some of its own authentication caching (as
      > suggested by the variable smtp_sasl_auth_cache_time)

      It will for the smtp SMTP client, but not for the smtpd SMTPD server. All
      options that start with smtp_ apply to the smtp_-client.

      > - and most important: is there a way to flush the cache?

      Restart saslauthd?

      p@rick

      --
      [*] sys4 AG

      http://sys4.de, +49 (89) 30 90 46 64
      Franziskanerstraße 15, 81669 München

      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
      Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
      Aufsichtsratsvorsitzender: Joerg Heidrich
    • Show all 7 messages in this topic