Loading ...
Sorry, an error occurred while loading the content.

prevent sasl auth when login in form user@domain

Expand Messages
  • Fabio Sangiovanni
    Hello list, I m using postfix 2.6.6 with cyrus-sasl (saslauthd + pam_mysql). Everything works ok, except that I ve noticed that users can login successfully
    Message 1 of 2 , Jan 17, 2013
    • 0 Attachment
      Hello list,

      I'm using postfix 2.6.6 with cyrus-sasl (saslauthd + pam_mysql).
      Everything works ok, except that I've noticed that users can login successfully using their username with an arbitrary @domain part, that is I see login success in 2 cases:
      - username = user
      - username = user@...

      My user table contains just the user part.

      How can I prevent logins in the form user@domain (i need that for further mail processing that happens down the line)?

      Thanks in advance!

      Configuration follows (let me know if you need more information):

      # postconf -n
      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      allow_min_user = yes
      broken_sasl_auth_clients = yes
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      data_directory = /var/lib/postfix
      debug_peer_level = 2
      disable_vrfy_command = yes
      html_directory = no
      in_flow_delay = 0
      inet_interfaces = <my.private.lan.ip>
      inet_protocols = ipv4
      local_recipient_maps =
      local_transport = error:local delivery is disabled
      mail_owner = postfix
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      message_size_limit = 27962028
      mydestination =
      mydomain = <domain.tld>
      myhostname = <hostname.domain.tld>
      mynetworks = <my.private.lan.subnet/cidr>
      newaliases_path = /usr/bin/newaliases.postfix
      parent_domain_matches_subdomains =
      debug_peer_list,
      fast_flush_domains,
      mynetworks,
      permit_mx_backup_networks,
      qmqpd_authorized_clients,
      relay_domains
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
      relay_domains =
      relayhost = [my.relay.host.ip]
      sample_directory = /usr/share/doc/postfix-2.6.6/samples
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtpd_banner = $myhostname ESMTP Service Ready
      smtpd_discard_ehlo_keywords = dsn
      smtpd_hard_error_limit = ${stress?10}${stress:200}
      smtpd_helo_required = yes
      smtpd_recipient_limit = 10000
      smtpd_recipient_restrictions =
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unknown_sender_domain,
      check_recipient_access hash:/etc/postfix/domain.hash,
      permit_sasl_authenticated,
      reject_unauth_destination
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_authenticated_header = yes
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_type = cyrus
      smtpd_soft_error_limit = 100
      smtpd_tls_cert_file = </path/to/my/cert>
      smtpd_tls_key_file = </path/to/my/key>
      smtpd_tls_loglevel = 1
      smtpd_tls_security_level = may
      smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_scache
      unknown_local_recipient_reject_code = 550

      # saslauthd command line
      /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 0

      # /etc/pam.d/smtp.postfix
      auth required pam_mysql.so user=<user> passwd=<pass> host=<my.auth.backend.ip> db=postfix table=User usercolumn=username passwdcolumn=password crypt=md5 [where=User.isEnabled="1" AND User.isDeleted="0"]
      account sufficient pam_mysql.so user=<user> passwd=<pass> host=<my.auth.backend.ip> db=postfix table=User usercolumn=username passwdcolumn=password crypt=md5 [where=User.isEnabled="1" AND User.isDeleted="0"]

      # /etc/sasl2/smtpd.conf
      pwcheck_method: saslauthd
      mech_list: plain login
    • Benny Pedersen
      ... change to rimap or use curus-sasl with direct mysql lookup pam on its own strips @example.org mysql sample.conf
      Message 2 of 2 , Jan 19, 2013
      • 0 Attachment
        Fabio Sangiovanni skrev den 2013-01-17 18:54:

        > # saslauthd command line
        > /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 0

        change to rimap or use curus-sasl with direct mysql lookup

        pam on its own strips @...

        mysql sample.conf

        https://redmine.oav.net/repositories/entry/openvisp/admin/trunk/contrib/configurations/postfix/smtpd.conf

        with that conf its not needed to use saslauthd
      Your message has been successfully submitted and would be delivered to recipients shortly.