Loading ...
Sorry, an error occurred while loading the content.
 

RE: question re. sasl authentication

Expand Messages
  • Bart J. Smit
    Use the -t parameter on your saslauthd invocation to set the number of seconds to cache authentications. E.g. on Redhat derivatives use FLAGS= -t 1 in
    Message 1 of 7 , Mar 3, 2013
      Use the -t parameter on your saslauthd invocation to set the number of seconds to cache authentications. E.g. on Redhat derivatives use FLAGS="-t 1" in /etc/sysconfig/saslauthd.

      Bart...

      -----Original Message-----
      From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Patrick Ben Koetter
      Sent: 03 March 2013 08:13
      To: postfix-users@...
      Subject: Re: question re. sasl authentication

      * Miles Fidelman <mfidelman@...>:
      > Hi Folks,
      >
      > I just had a users' password compromised - with the result that a
      > bunch of spam was sent through her account. (Fixed by changing her
      > password.)
      >
      > But, in the process, I had to learn a lot about how Postfix wires
      > together with Cyrus SASL, and that in turn with PAM. I discovered
      > something that confuses me, and I hope someone can help:
      >
      > - our system is set up to authenticate smtpd transactions via
      > saslauthd (and then to pam_unix to the password db)
      >
      > - as soon as I changed the user's password, IMAP started failing
      > authentication and the password had to be changed, BUT...
      >
      > - we could still SEND mail via smtpd using either username/newpassword
      > or username/oldpassword

      saslauthd may use a cache. Maybe the cache was active and saslauthd didn't notice the old pass had been changed.


      > - eventually this timed out and the old password stopped working

      The cache expired.

      > - obviously the old password was being cached somewhere, my assumption
      > being in the saslauthd credentials cache, BUT, that doesn't explain
      > why smtpd continued to accept the old password for a while

      smptd is 'dumb' in terms of authentication. It doesn't authenticate itself, but completely relues on Cyrus SASL to take care of that.

      > Which leads to several questions:
      >
      > - the general one: anybody know what's going on?
      >
      > - is postfix doing some of its own authentication caching (as
      > suggested by the variable smtp_sasl_auth_cache_time)

      It will for the smtp SMTP client, but not for the smtpd SMTPD server. All options that start with smtp_ apply to the smtp_-client.

      > - and most important: is there a way to flush the cache?

      Restart saslauthd?

      p@rick

      --
      [*] sys4 AG

      http://sys4.de, +49 (89) 30 90 46 64
      Franziskanerstraße 15, 81669 München

      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
      Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
      Aufsichtsratsvorsitzender: Joerg Heidrich
    • Miles Fidelman
      Folks, Thanks for your replies re. sasl authentication. In thinking about things, and looking at all the attacks on our mailer (repeated attempts to
      Message 2 of 7 , Mar 3, 2013
        Folks,

        Thanks for your replies re. sasl authentication. In thinking about
        things, and looking at all the attacks on our mailer (repeated attempts
        to authenticate and send email), it occurs to me:

        Does the postfix smtpd provide any mechanisms for locking out
        IP/username combinations that repeatedly fail authentication - in the
        same way that human login can get locked out after n failed
        authentication attempts? Seems like this might be a good countermeasure
        for brute force password guessing attacks against smtpd.

        Thanks,

        Miles Fidelman

        --
        In theory, there is no difference between theory and practice.
        In practice, there is. .... Yogi Berra
      • Robert Schetterer
        ... you may use fail2ban with postfix sasl rules against brute force Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64
        Message 3 of 7 , Mar 3, 2013
          Am 03.03.2013 13:52, schrieb Miles Fidelman:
          > Folks,
          >
          > Thanks for your replies re. sasl authentication. In thinking about
          > things, and looking at all the attacks on our mailer (repeated attempts
          > to authenticate and send email), it occurs to me:
          >
          > Does the postfix smtpd provide any mechanisms for locking out
          > IP/username combinations that repeatedly fail authentication - in the
          > same way that human login can get locked out after n failed
          > authentication attempts? Seems like this might be a good countermeasure
          > for brute force password guessing attacks against smtpd.
          >
          > Thanks,
          >
          > Miles Fidelman
          >

          you may use fail2ban with postfix sasl rules against brute force


          Best Regards
          MfG Robert Schetterer

          --
          [*] sys4 AG

          http://sys4.de, +49 (89) 30 90 46 64
          Franziskanerstraße 15, 81669 München

          Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
          Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
          Aufsichtsratsvorsitzender: Joerg Heidrich
        • Miles Fidelman
          ... thanks! -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
          Message 4 of 7 , Mar 3, 2013
            Robert Schetterer wrote:
            > Am 03.03.2013 13:52, schrieb Miles Fidelman:
            >> Folks,
            >>
            >> Thanks for your replies re. sasl authentication. In thinking about
            >> things, and looking at all the attacks on our mailer (repeated attempts
            >> to authenticate and send email), it occurs to me:
            >>
            >> Does the postfix smtpd provide any mechanisms for locking out
            >> IP/username combinations that repeatedly fail authentication - in the
            >> same way that human login can get locked out after n failed
            >> authentication attempts? Seems like this might be a good countermeasure
            >> for brute force password guessing attacks against smtpd.
            >>
            >> Thanks,
            >>
            >> Miles Fidelman
            >>
            > you may use fail2ban with postfix sasl rules against brute force
            thanks!

            --
            In theory, there is no difference between theory and practice.
            In practice, there is. .... Yogi Berra
          Your message has been successfully submitted and would be delivered to recipients shortly.