Loading ...
Sorry, an error occurred while loading the content.

Re: question re. sasl authentication

Expand Messages
  • Viktor Dukhovni
    ... This is an SMTP *client* (smtp(8)) parameter, used to avoid repeated attempts to authenticated with an invalid password. This has no effect on the SMTP
    Message 1 of 7 , Mar 2, 2013
    • 0 Attachment
      On Sat, Mar 02, 2013 at 09:22:30PM -0500, Miles Fidelman wrote:

      > - is postfix doing some of its own authentication caching (as
      > suggested by the variable smtp_sasl_auth_cache_time)

      This is an SMTP *client* (smtp(8)) parameter, used to avoid repeated
      attempts to authenticated with an invalid password.

      This has no effect on the SMTP *server* (smtpd(8)) and Postfix does
      not cache SASL credentials. That would require mechanism-specific
      behaviour for which there is simply no code in Postfix.

      --
      Viktor.
    • Patrick Ben Koetter
      ... saslauthd may use a cache. Maybe the cache was active and saslauthd didn t notice the old pass had been changed. ... The cache expired. ... smptd is dumb
      Message 2 of 7 , Mar 3, 2013
      • 0 Attachment
        * Miles Fidelman <mfidelman@...>:
        > Hi Folks,
        >
        > I just had a users' password compromised - with the result that a
        > bunch of spam was sent through her account. (Fixed by changing her
        > password.)
        >
        > But, in the process, I had to learn a lot about how Postfix wires
        > together with Cyrus SASL, and that in turn with PAM. I discovered
        > something that confuses me, and I hope someone can help:
        >
        > - our system is set up to authenticate smtpd transactions via
        > saslauthd (and then to pam_unix to the password db)
        >
        > - as soon as I changed the user's password, IMAP started failing
        > authentication and the password had to be changed, BUT...
        >
        > - we could still SEND mail via smtpd using either
        > username/newpassword or username/oldpassword

        saslauthd may use a cache. Maybe the cache was active and saslauthd didn't
        notice the old pass had been changed.


        > - eventually this timed out and the old password stopped working

        The cache expired.

        > - obviously the old password was being cached somewhere, my
        > assumption being in the saslauthd credentials cache, BUT, that
        > doesn't explain why smtpd continued to accept the old password for a
        > while

        smptd is 'dumb' in terms of authentication. It doesn't authenticate itself,
        but completely relues on Cyrus SASL to take care of that.

        > Which leads to several questions:
        >
        > - the general one: anybody know what's going on?
        >
        > - is postfix doing some of its own authentication caching (as
        > suggested by the variable smtp_sasl_auth_cache_time)

        It will for the smtp SMTP client, but not for the smtpd SMTPD server. All
        options that start with smtp_ apply to the smtp_-client.

        > - and most important: is there a way to flush the cache?

        Restart saslauthd?

        p@rick

        --
        [*] sys4 AG

        http://sys4.de, +49 (89) 30 90 46 64
        Franziskanerstraße 15, 81669 München

        Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
        Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
        Aufsichtsratsvorsitzender: Joerg Heidrich
      • Bart J. Smit
        Use the -t parameter on your saslauthd invocation to set the number of seconds to cache authentications. E.g. on Redhat derivatives use FLAGS= -t 1 in
        Message 3 of 7 , Mar 3, 2013
        • 0 Attachment
          Use the -t parameter on your saslauthd invocation to set the number of seconds to cache authentications. E.g. on Redhat derivatives use FLAGS="-t 1" in /etc/sysconfig/saslauthd.

          Bart...

          -----Original Message-----
          From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Patrick Ben Koetter
          Sent: 03 March 2013 08:13
          To: postfix-users@...
          Subject: Re: question re. sasl authentication

          * Miles Fidelman <mfidelman@...>:
          > Hi Folks,
          >
          > I just had a users' password compromised - with the result that a
          > bunch of spam was sent through her account. (Fixed by changing her
          > password.)
          >
          > But, in the process, I had to learn a lot about how Postfix wires
          > together with Cyrus SASL, and that in turn with PAM. I discovered
          > something that confuses me, and I hope someone can help:
          >
          > - our system is set up to authenticate smtpd transactions via
          > saslauthd (and then to pam_unix to the password db)
          >
          > - as soon as I changed the user's password, IMAP started failing
          > authentication and the password had to be changed, BUT...
          >
          > - we could still SEND mail via smtpd using either username/newpassword
          > or username/oldpassword

          saslauthd may use a cache. Maybe the cache was active and saslauthd didn't notice the old pass had been changed.


          > - eventually this timed out and the old password stopped working

          The cache expired.

          > - obviously the old password was being cached somewhere, my assumption
          > being in the saslauthd credentials cache, BUT, that doesn't explain
          > why smtpd continued to accept the old password for a while

          smptd is 'dumb' in terms of authentication. It doesn't authenticate itself, but completely relues on Cyrus SASL to take care of that.

          > Which leads to several questions:
          >
          > - the general one: anybody know what's going on?
          >
          > - is postfix doing some of its own authentication caching (as
          > suggested by the variable smtp_sasl_auth_cache_time)

          It will for the smtp SMTP client, but not for the smtpd SMTPD server. All options that start with smtp_ apply to the smtp_-client.

          > - and most important: is there a way to flush the cache?

          Restart saslauthd?

          p@rick

          --
          [*] sys4 AG

          http://sys4.de, +49 (89) 30 90 46 64
          Franziskanerstraße 15, 81669 München

          Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
          Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
          Aufsichtsratsvorsitzender: Joerg Heidrich
        • Miles Fidelman
          Folks, Thanks for your replies re. sasl authentication. In thinking about things, and looking at all the attacks on our mailer (repeated attempts to
          Message 4 of 7 , Mar 3, 2013
          • 0 Attachment
            Folks,

            Thanks for your replies re. sasl authentication. In thinking about
            things, and looking at all the attacks on our mailer (repeated attempts
            to authenticate and send email), it occurs to me:

            Does the postfix smtpd provide any mechanisms for locking out
            IP/username combinations that repeatedly fail authentication - in the
            same way that human login can get locked out after n failed
            authentication attempts? Seems like this might be a good countermeasure
            for brute force password guessing attacks against smtpd.

            Thanks,

            Miles Fidelman

            --
            In theory, there is no difference between theory and practice.
            In practice, there is. .... Yogi Berra
          • Robert Schetterer
            ... you may use fail2ban with postfix sasl rules against brute force Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64
            Message 5 of 7 , Mar 3, 2013
            • 0 Attachment
              Am 03.03.2013 13:52, schrieb Miles Fidelman:
              > Folks,
              >
              > Thanks for your replies re. sasl authentication. In thinking about
              > things, and looking at all the attacks on our mailer (repeated attempts
              > to authenticate and send email), it occurs to me:
              >
              > Does the postfix smtpd provide any mechanisms for locking out
              > IP/username combinations that repeatedly fail authentication - in the
              > same way that human login can get locked out after n failed
              > authentication attempts? Seems like this might be a good countermeasure
              > for brute force password guessing attacks against smtpd.
              >
              > Thanks,
              >
              > Miles Fidelman
              >

              you may use fail2ban with postfix sasl rules against brute force


              Best Regards
              MfG Robert Schetterer

              --
              [*] sys4 AG

              http://sys4.de, +49 (89) 30 90 46 64
              Franziskanerstraße 15, 81669 München

              Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
              Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
              Aufsichtsratsvorsitzender: Joerg Heidrich
            • Miles Fidelman
              ... thanks! -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
              Message 6 of 7 , Mar 3, 2013
              • 0 Attachment
                Robert Schetterer wrote:
                > Am 03.03.2013 13:52, schrieb Miles Fidelman:
                >> Folks,
                >>
                >> Thanks for your replies re. sasl authentication. In thinking about
                >> things, and looking at all the attacks on our mailer (repeated attempts
                >> to authenticate and send email), it occurs to me:
                >>
                >> Does the postfix smtpd provide any mechanisms for locking out
                >> IP/username combinations that repeatedly fail authentication - in the
                >> same way that human login can get locked out after n failed
                >> authentication attempts? Seems like this might be a good countermeasure
                >> for brute force password guessing attacks against smtpd.
                >>
                >> Thanks,
                >>
                >> Miles Fidelman
                >>
                > you may use fail2ban with postfix sasl rules against brute force
                thanks!

                --
                In theory, there is no difference between theory and practice.
                In practice, there is. .... Yogi Berra
              Your message has been successfully submitted and would be delivered to recipients shortly.