Loading ...
Sorry, an error occurred while loading the content.

question re. sasl authentication

Expand Messages
  • Miles Fidelman
    Hi Folks, I just had a users password compromised - with the result that a bunch of spam was sent through her account. (Fixed by changing her password.) But,
    Message 1 of 7 , Mar 2, 2013
    • 0 Attachment
      Hi Folks,

      I just had a users' password compromised - with the result that a bunch
      of spam was sent through her account. (Fixed by changing her password.)

      But, in the process, I had to learn a lot about how Postfix wires
      together with Cyrus SASL, and that in turn with PAM. I discovered
      something that confuses me, and I hope someone can help:

      - our system is set up to authenticate smtpd transactions via saslauthd
      (and then to pam_unix to the password db)

      - as soon as I changed the user's password, IMAP started failing
      authentication and the password had to be changed, BUT...

      - we could still SEND mail via smtpd using either username/newpassword
      or username/oldpassword

      - eventually this timed out and the old password stopped working

      - obviously the old password was being cached somewhere, my assumption
      being in the saslauthd credentials cache, BUT, that doesn't explain why
      smtpd continued to accept the old password for a while

      Which leads to several questions:

      - the general one: anybody know what's going on?

      - is postfix doing some of its own authentication caching (as suggested
      by the variable smtp_sasl_auth_cache_time)

      - and most important: is there a way to flush the cache?

      Thanks very much,

      Miles Fidelman

      --
      In theory, there is no difference between theory and practice.
      In practice, there is. .... Yogi Berra
    • Viktor Dukhovni
      ... This is an SMTP *client* (smtp(8)) parameter, used to avoid repeated attempts to authenticated with an invalid password. This has no effect on the SMTP
      Message 2 of 7 , Mar 2, 2013
      • 0 Attachment
        On Sat, Mar 02, 2013 at 09:22:30PM -0500, Miles Fidelman wrote:

        > - is postfix doing some of its own authentication caching (as
        > suggested by the variable smtp_sasl_auth_cache_time)

        This is an SMTP *client* (smtp(8)) parameter, used to avoid repeated
        attempts to authenticated with an invalid password.

        This has no effect on the SMTP *server* (smtpd(8)) and Postfix does
        not cache SASL credentials. That would require mechanism-specific
        behaviour for which there is simply no code in Postfix.

        --
        Viktor.
      • Patrick Ben Koetter
        ... saslauthd may use a cache. Maybe the cache was active and saslauthd didn t notice the old pass had been changed. ... The cache expired. ... smptd is dumb
        Message 3 of 7 , Mar 3, 2013
        • 0 Attachment
          * Miles Fidelman <mfidelman@...>:
          > Hi Folks,
          >
          > I just had a users' password compromised - with the result that a
          > bunch of spam was sent through her account. (Fixed by changing her
          > password.)
          >
          > But, in the process, I had to learn a lot about how Postfix wires
          > together with Cyrus SASL, and that in turn with PAM. I discovered
          > something that confuses me, and I hope someone can help:
          >
          > - our system is set up to authenticate smtpd transactions via
          > saslauthd (and then to pam_unix to the password db)
          >
          > - as soon as I changed the user's password, IMAP started failing
          > authentication and the password had to be changed, BUT...
          >
          > - we could still SEND mail via smtpd using either
          > username/newpassword or username/oldpassword

          saslauthd may use a cache. Maybe the cache was active and saslauthd didn't
          notice the old pass had been changed.


          > - eventually this timed out and the old password stopped working

          The cache expired.

          > - obviously the old password was being cached somewhere, my
          > assumption being in the saslauthd credentials cache, BUT, that
          > doesn't explain why smtpd continued to accept the old password for a
          > while

          smptd is 'dumb' in terms of authentication. It doesn't authenticate itself,
          but completely relues on Cyrus SASL to take care of that.

          > Which leads to several questions:
          >
          > - the general one: anybody know what's going on?
          >
          > - is postfix doing some of its own authentication caching (as
          > suggested by the variable smtp_sasl_auth_cache_time)

          It will for the smtp SMTP client, but not for the smtpd SMTPD server. All
          options that start with smtp_ apply to the smtp_-client.

          > - and most important: is there a way to flush the cache?

          Restart saslauthd?

          p@rick

          --
          [*] sys4 AG

          http://sys4.de, +49 (89) 30 90 46 64
          Franziskanerstraße 15, 81669 München

          Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
          Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
          Aufsichtsratsvorsitzender: Joerg Heidrich
        • Bart J. Smit
          Use the -t parameter on your saslauthd invocation to set the number of seconds to cache authentications. E.g. on Redhat derivatives use FLAGS= -t 1 in
          Message 4 of 7 , Mar 3, 2013
          • 0 Attachment
            Use the -t parameter on your saslauthd invocation to set the number of seconds to cache authentications. E.g. on Redhat derivatives use FLAGS="-t 1" in /etc/sysconfig/saslauthd.

            Bart...

            -----Original Message-----
            From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Patrick Ben Koetter
            Sent: 03 March 2013 08:13
            To: postfix-users@...
            Subject: Re: question re. sasl authentication

            * Miles Fidelman <mfidelman@...>:
            > Hi Folks,
            >
            > I just had a users' password compromised - with the result that a
            > bunch of spam was sent through her account. (Fixed by changing her
            > password.)
            >
            > But, in the process, I had to learn a lot about how Postfix wires
            > together with Cyrus SASL, and that in turn with PAM. I discovered
            > something that confuses me, and I hope someone can help:
            >
            > - our system is set up to authenticate smtpd transactions via
            > saslauthd (and then to pam_unix to the password db)
            >
            > - as soon as I changed the user's password, IMAP started failing
            > authentication and the password had to be changed, BUT...
            >
            > - we could still SEND mail via smtpd using either username/newpassword
            > or username/oldpassword

            saslauthd may use a cache. Maybe the cache was active and saslauthd didn't notice the old pass had been changed.


            > - eventually this timed out and the old password stopped working

            The cache expired.

            > - obviously the old password was being cached somewhere, my assumption
            > being in the saslauthd credentials cache, BUT, that doesn't explain
            > why smtpd continued to accept the old password for a while

            smptd is 'dumb' in terms of authentication. It doesn't authenticate itself, but completely relues on Cyrus SASL to take care of that.

            > Which leads to several questions:
            >
            > - the general one: anybody know what's going on?
            >
            > - is postfix doing some of its own authentication caching (as
            > suggested by the variable smtp_sasl_auth_cache_time)

            It will for the smtp SMTP client, but not for the smtpd SMTPD server. All options that start with smtp_ apply to the smtp_-client.

            > - and most important: is there a way to flush the cache?

            Restart saslauthd?

            p@rick

            --
            [*] sys4 AG

            http://sys4.de, +49 (89) 30 90 46 64
            Franziskanerstraße 15, 81669 München

            Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
            Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
            Aufsichtsratsvorsitzender: Joerg Heidrich
          • Miles Fidelman
            Folks, Thanks for your replies re. sasl authentication. In thinking about things, and looking at all the attacks on our mailer (repeated attempts to
            Message 5 of 7 , Mar 3, 2013
            • 0 Attachment
              Folks,

              Thanks for your replies re. sasl authentication. In thinking about
              things, and looking at all the attacks on our mailer (repeated attempts
              to authenticate and send email), it occurs to me:

              Does the postfix smtpd provide any mechanisms for locking out
              IP/username combinations that repeatedly fail authentication - in the
              same way that human login can get locked out after n failed
              authentication attempts? Seems like this might be a good countermeasure
              for brute force password guessing attacks against smtpd.

              Thanks,

              Miles Fidelman

              --
              In theory, there is no difference between theory and practice.
              In practice, there is. .... Yogi Berra
            • Robert Schetterer
              ... you may use fail2ban with postfix sasl rules against brute force Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64
              Message 6 of 7 , Mar 3, 2013
              • 0 Attachment
                Am 03.03.2013 13:52, schrieb Miles Fidelman:
                > Folks,
                >
                > Thanks for your replies re. sasl authentication. In thinking about
                > things, and looking at all the attacks on our mailer (repeated attempts
                > to authenticate and send email), it occurs to me:
                >
                > Does the postfix smtpd provide any mechanisms for locking out
                > IP/username combinations that repeatedly fail authentication - in the
                > same way that human login can get locked out after n failed
                > authentication attempts? Seems like this might be a good countermeasure
                > for brute force password guessing attacks against smtpd.
                >
                > Thanks,
                >
                > Miles Fidelman
                >

                you may use fail2ban with postfix sasl rules against brute force


                Best Regards
                MfG Robert Schetterer

                --
                [*] sys4 AG

                http://sys4.de, +49 (89) 30 90 46 64
                Franziskanerstraße 15, 81669 München

                Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                Aufsichtsratsvorsitzender: Joerg Heidrich
              • Miles Fidelman
                ... thanks! -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
                Message 7 of 7 , Mar 3, 2013
                • 0 Attachment
                  Robert Schetterer wrote:
                  > Am 03.03.2013 13:52, schrieb Miles Fidelman:
                  >> Folks,
                  >>
                  >> Thanks for your replies re. sasl authentication. In thinking about
                  >> things, and looking at all the attacks on our mailer (repeated attempts
                  >> to authenticate and send email), it occurs to me:
                  >>
                  >> Does the postfix smtpd provide any mechanisms for locking out
                  >> IP/username combinations that repeatedly fail authentication - in the
                  >> same way that human login can get locked out after n failed
                  >> authentication attempts? Seems like this might be a good countermeasure
                  >> for brute force password guessing attacks against smtpd.
                  >>
                  >> Thanks,
                  >>
                  >> Miles Fidelman
                  >>
                  > you may use fail2ban with postfix sasl rules against brute force
                  thanks!

                  --
                  In theory, there is no difference between theory and practice.
                  In practice, there is. .... Yogi Berra
                Your message has been successfully submitted and would be delivered to recipients shortly.