Loading ...
Sorry, an error occurred while loading the content.

291750RE: question re. sasl authentication

Expand Messages
  • Bart J. Smit
    Mar 3, 2013
    • 0 Attachment
      Use the -t parameter on your saslauthd invocation to set the number of seconds to cache authentications. E.g. on Redhat derivatives use FLAGS="-t 1" in /etc/sysconfig/saslauthd.

      Bart...

      -----Original Message-----
      From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Patrick Ben Koetter
      Sent: 03 March 2013 08:13
      To: postfix-users@...
      Subject: Re: question re. sasl authentication

      * Miles Fidelman <mfidelman@...>:
      > Hi Folks,
      >
      > I just had a users' password compromised - with the result that a
      > bunch of spam was sent through her account. (Fixed by changing her
      > password.)
      >
      > But, in the process, I had to learn a lot about how Postfix wires
      > together with Cyrus SASL, and that in turn with PAM. I discovered
      > something that confuses me, and I hope someone can help:
      >
      > - our system is set up to authenticate smtpd transactions via
      > saslauthd (and then to pam_unix to the password db)
      >
      > - as soon as I changed the user's password, IMAP started failing
      > authentication and the password had to be changed, BUT...
      >
      > - we could still SEND mail via smtpd using either username/newpassword
      > or username/oldpassword

      saslauthd may use a cache. Maybe the cache was active and saslauthd didn't notice the old pass had been changed.


      > - eventually this timed out and the old password stopped working

      The cache expired.

      > - obviously the old password was being cached somewhere, my assumption
      > being in the saslauthd credentials cache, BUT, that doesn't explain
      > why smtpd continued to accept the old password for a while

      smptd is 'dumb' in terms of authentication. It doesn't authenticate itself, but completely relues on Cyrus SASL to take care of that.

      > Which leads to several questions:
      >
      > - the general one: anybody know what's going on?
      >
      > - is postfix doing some of its own authentication caching (as
      > suggested by the variable smtp_sasl_auth_cache_time)

      It will for the smtp SMTP client, but not for the smtpd SMTPD server. All options that start with smtp_ apply to the smtp_-client.

      > - and most important: is there a way to flush the cache?

      Restart saslauthd?

      p@rick

      --
      [*] sys4 AG

      http://sys4.de, +49 (89) 30 90 46 64
      Franziskanerstraße 15, 81669 München

      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
      Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
      Aufsichtsratsvorsitzender: Joerg Heidrich
    • Show all 7 messages in this topic