Loading ...
Sorry, an error occurred while loading the content.

Re: question re. sasl authentication

Expand Messages
  • Patrick Ben Koetter
    ... saslauthd may use a cache. Maybe the cache was active and saslauthd didn t notice the old pass had been changed. ... The cache expired. ... smptd is dumb
    Message 1 of 7 , Mar 3, 2013
    • 0 Attachment
      * Miles Fidelman <mfidelman@...>:
      > Hi Folks,
      >
      > I just had a users' password compromised - with the result that a
      > bunch of spam was sent through her account. (Fixed by changing her
      > password.)
      >
      > But, in the process, I had to learn a lot about how Postfix wires
      > together with Cyrus SASL, and that in turn with PAM. I discovered
      > something that confuses me, and I hope someone can help:
      >
      > - our system is set up to authenticate smtpd transactions via
      > saslauthd (and then to pam_unix to the password db)
      >
      > - as soon as I changed the user's password, IMAP started failing
      > authentication and the password had to be changed, BUT...
      >
      > - we could still SEND mail via smtpd using either
      > username/newpassword or username/oldpassword

      saslauthd may use a cache. Maybe the cache was active and saslauthd didn't
      notice the old pass had been changed.


      > - eventually this timed out and the old password stopped working

      The cache expired.

      > - obviously the old password was being cached somewhere, my
      > assumption being in the saslauthd credentials cache, BUT, that
      > doesn't explain why smtpd continued to accept the old password for a
      > while

      smptd is 'dumb' in terms of authentication. It doesn't authenticate itself,
      but completely relues on Cyrus SASL to take care of that.

      > Which leads to several questions:
      >
      > - the general one: anybody know what's going on?
      >
      > - is postfix doing some of its own authentication caching (as
      > suggested by the variable smtp_sasl_auth_cache_time)

      It will for the smtp SMTP client, but not for the smtpd SMTPD server. All
      options that start with smtp_ apply to the smtp_-client.

      > - and most important: is there a way to flush the cache?

      Restart saslauthd?

      p@rick

      --
      [*] sys4 AG

      http://sys4.de, +49 (89) 30 90 46 64
      Franziskanerstraße 15, 81669 München

      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
      Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
      Aufsichtsratsvorsitzender: Joerg Heidrich
    • Bart J. Smit
      Use the -t parameter on your saslauthd invocation to set the number of seconds to cache authentications. E.g. on Redhat derivatives use FLAGS= -t 1 in
      Message 2 of 7 , Mar 3, 2013
      • 0 Attachment
        Use the -t parameter on your saslauthd invocation to set the number of seconds to cache authentications. E.g. on Redhat derivatives use FLAGS="-t 1" in /etc/sysconfig/saslauthd.

        Bart...

        -----Original Message-----
        From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Patrick Ben Koetter
        Sent: 03 March 2013 08:13
        To: postfix-users@...
        Subject: Re: question re. sasl authentication

        * Miles Fidelman <mfidelman@...>:
        > Hi Folks,
        >
        > I just had a users' password compromised - with the result that a
        > bunch of spam was sent through her account. (Fixed by changing her
        > password.)
        >
        > But, in the process, I had to learn a lot about how Postfix wires
        > together with Cyrus SASL, and that in turn with PAM. I discovered
        > something that confuses me, and I hope someone can help:
        >
        > - our system is set up to authenticate smtpd transactions via
        > saslauthd (and then to pam_unix to the password db)
        >
        > - as soon as I changed the user's password, IMAP started failing
        > authentication and the password had to be changed, BUT...
        >
        > - we could still SEND mail via smtpd using either username/newpassword
        > or username/oldpassword

        saslauthd may use a cache. Maybe the cache was active and saslauthd didn't notice the old pass had been changed.


        > - eventually this timed out and the old password stopped working

        The cache expired.

        > - obviously the old password was being cached somewhere, my assumption
        > being in the saslauthd credentials cache, BUT, that doesn't explain
        > why smtpd continued to accept the old password for a while

        smptd is 'dumb' in terms of authentication. It doesn't authenticate itself, but completely relues on Cyrus SASL to take care of that.

        > Which leads to several questions:
        >
        > - the general one: anybody know what's going on?
        >
        > - is postfix doing some of its own authentication caching (as
        > suggested by the variable smtp_sasl_auth_cache_time)

        It will for the smtp SMTP client, but not for the smtpd SMTPD server. All options that start with smtp_ apply to the smtp_-client.

        > - and most important: is there a way to flush the cache?

        Restart saslauthd?

        p@rick

        --
        [*] sys4 AG

        http://sys4.de, +49 (89) 30 90 46 64
        Franziskanerstraße 15, 81669 München

        Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
        Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
        Aufsichtsratsvorsitzender: Joerg Heidrich
      • Miles Fidelman
        Folks, Thanks for your replies re. sasl authentication. In thinking about things, and looking at all the attacks on our mailer (repeated attempts to
        Message 3 of 7 , Mar 3, 2013
        • 0 Attachment
          Folks,

          Thanks for your replies re. sasl authentication. In thinking about
          things, and looking at all the attacks on our mailer (repeated attempts
          to authenticate and send email), it occurs to me:

          Does the postfix smtpd provide any mechanisms for locking out
          IP/username combinations that repeatedly fail authentication - in the
          same way that human login can get locked out after n failed
          authentication attempts? Seems like this might be a good countermeasure
          for brute force password guessing attacks against smtpd.

          Thanks,

          Miles Fidelman

          --
          In theory, there is no difference between theory and practice.
          In practice, there is. .... Yogi Berra
        • Robert Schetterer
          ... you may use fail2ban with postfix sasl rules against brute force Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64
          Message 4 of 7 , Mar 3, 2013
          • 0 Attachment
            Am 03.03.2013 13:52, schrieb Miles Fidelman:
            > Folks,
            >
            > Thanks for your replies re. sasl authentication. In thinking about
            > things, and looking at all the attacks on our mailer (repeated attempts
            > to authenticate and send email), it occurs to me:
            >
            > Does the postfix smtpd provide any mechanisms for locking out
            > IP/username combinations that repeatedly fail authentication - in the
            > same way that human login can get locked out after n failed
            > authentication attempts? Seems like this might be a good countermeasure
            > for brute force password guessing attacks against smtpd.
            >
            > Thanks,
            >
            > Miles Fidelman
            >

            you may use fail2ban with postfix sasl rules against brute force


            Best Regards
            MfG Robert Schetterer

            --
            [*] sys4 AG

            http://sys4.de, +49 (89) 30 90 46 64
            Franziskanerstraße 15, 81669 München

            Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
            Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
            Aufsichtsratsvorsitzender: Joerg Heidrich
          • Miles Fidelman
            ... thanks! -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
            Message 5 of 7 , Mar 3, 2013
            • 0 Attachment
              Robert Schetterer wrote:
              > Am 03.03.2013 13:52, schrieb Miles Fidelman:
              >> Folks,
              >>
              >> Thanks for your replies re. sasl authentication. In thinking about
              >> things, and looking at all the attacks on our mailer (repeated attempts
              >> to authenticate and send email), it occurs to me:
              >>
              >> Does the postfix smtpd provide any mechanisms for locking out
              >> IP/username combinations that repeatedly fail authentication - in the
              >> same way that human login can get locked out after n failed
              >> authentication attempts? Seems like this might be a good countermeasure
              >> for brute force password guessing attacks against smtpd.
              >>
              >> Thanks,
              >>
              >> Miles Fidelman
              >>
              > you may use fail2ban with postfix sasl rules against brute force
              thanks!

              --
              In theory, there is no difference between theory and practice.
              In practice, there is. .... Yogi Berra
            Your message has been successfully submitted and would be delivered to recipients shortly.