291750RE: question re. sasl authentication
- Mar 3, 2013Use the -t parameter on your saslauthd invocation to set the number of seconds to cache authentications. E.g. on Redhat derivatives use FLAGS="-t 1" in /etc/sysconfig/saslauthd.
From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Patrick Ben Koetter
Sent: 03 March 2013 08:13
Subject: Re: question re. sasl authentication
* Miles Fidelman <mfidelman@...>:
> Hi Folks,saslauthd may use a cache. Maybe the cache was active and saslauthd didn't notice the old pass had been changed.
> I just had a users' password compromised - with the result that a
> bunch of spam was sent through her account. (Fixed by changing her
> But, in the process, I had to learn a lot about how Postfix wires
> together with Cyrus SASL, and that in turn with PAM. I discovered
> something that confuses me, and I hope someone can help:
> - our system is set up to authenticate smtpd transactions via
> saslauthd (and then to pam_unix to the password db)
> - as soon as I changed the user's password, IMAP started failing
> authentication and the password had to be changed, BUT...
> - we could still SEND mail via smtpd using either username/newpassword
> or username/oldpassword
> - eventually this timed out and the old password stopped workingThe cache expired.
> - obviously the old password was being cached somewhere, my assumptionsmptd is 'dumb' in terms of authentication. It doesn't authenticate itself, but completely relues on Cyrus SASL to take care of that.
> being in the saslauthd credentials cache, BUT, that doesn't explain
> why smtpd continued to accept the old password for a while
> Which leads to several questions:It will for the smtp SMTP client, but not for the smtpd SMTPD server. All options that start with smtp_ apply to the smtp_-client.
> - the general one: anybody know what's going on?
> - is postfix doing some of its own authentication caching (as
> suggested by the variable smtp_sasl_auth_cache_time)
> - and most important: is there a way to flush the cache?Restart saslauthd?
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich
- << Previous post in topic Next post in topic >>