Loading ...
Sorry, an error occurred while loading the content.
 

Postfix, saslauthd, mangled user names

Expand Messages
  • Olaf Schreck
    Helo, I m testing a system running postfix, SMTP AUTH and saslauthd that should accept SMTP authentication on the submission port. This is working fine as
    Message 1 of 3 , Jul 27, 2014
      Helo,

      I'm testing a system running postfix, SMTP AUTH and saslauthd that should
      accept SMTP authentication on the submission port. This is working fine
      as long as I pass plain usernames without an @... part.

      When I try to pass usernames with a domain part (like "test@..."),
      authentication fails, because the username gets mangled to "test.org".
      Look: (hostname redacted to "testhost")

      chakl@gate:~$ perl -MMIME::Base64 -e 'print encode_base64("\000test@...\000testpass")'
      AHRlc3Qub3JnAHRlc3RwYXNz
      chakl@gate:~$ date
      Sun Jul 27 15:34:37 CEST 2014
      chakl@gate:~$ telnet testhost 587
      Trying testhost...
      Connected to testhost.
      Escape character is '^]'.
      220 testhost
      ehlo chakl
      250-testhost
      250-PIPELINING
      250-SIZE 10240000
      250-VRFY
      250-ETRN
      250-STARTTLS
      250-AUTH PLAIN LOGIN
      250-AUTH=PLAIN LOGIN
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN
      auth plain AHRlc3Qub3JnAHRlc3RwYXNz
      535 5.7.8 Error: authentication failed: authentication failure

      saslauthd syslog on testhost:

      Jul 27 15:34:49 testhost saslauthd[12644]: do_auth : auth failure: [user=test.org] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

      User "test@..." is now "user=test.org". Of course authentication
      will fail. This is repoducible, "test2@..." will be "test2.net".

      I have tried with and without passing the -r flag to saslauthd, and using
      SASL mechs pam and rimap, same results. Somehow the username gets mangled
      between postfix and saslauthd.

      Anyone got an idea why this happens? Or how to work around this?


      thanks,
      chakl


      System Config: postfix 2.9.4, Suse Linux Enterprise 11 SP3.

      from /etc/postfix/master.cf:

      submission inet n - n - - smtpd
      -o smtpd_etrn_restrictions=reject
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject


      postconf | grep smtpd_sasl:

      smtpd_sasl_auth_enable = yes
      smtpd_sasl_authenticated_header = no
      smtpd_sasl_exceptions_networks =
      smtpd_sasl_local_domain =
      smtpd_sasl_path = smtpd
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
      smtpd_sasl_type = cyrus


      /etc/sasl2/smtpd.conf:

      pwcheck_method: saslauthd
      mech_list: plain login


      pgrep -lf saslauthd:

      12643 /usr/sbin/saslauthd -r -a pam -n 5
      12644 /usr/sbin/saslauthd -r -a pam -n 5
      12645 /usr/sbin/saslauthd -r -a pam -n 5
      12646 /usr/sbin/saslauthd -r -a pam -n 5
      12647 /usr/sbin/saslauthd -r -a pam -n 5
    • Viktor Dukhovni
      ... Basic Perl user error. The string @example is interpreted as an array expansion. $ perl -e print 000test@example.org 000testpass ; | cat -v
      Message 2 of 3 , Jul 27, 2014
        On Sun, Jul 27, 2014 at 04:16:35PM +0200, Olaf Schreck wrote:

        > chakl@gate:~$ perl -MMIME::Base64 -e 'print encode_base64("\000test@...\000testpass")'
        > AHRlc3Qub3JnAHRlc3RwYXNz

        Basic Perl user error. The string "@example" is interpreted as an
        array expansion.

        $ perl -e 'print "\000test@...\000testpass";' | cat -v
        ^@...^@testpass

        Try instead

        $ perl -MMIME::Base64 -e 'print encode_base64("\000test\@...\000testpass")'
        AHRlc3RAZXhhbXBsZS5vcmcAdGVzdHBhc3M=

        --
        Viktor.
      • Olaf Schreck
        ... You are so right.. And getting a Basic Perl user error response after 20+ years of using and loving Perl hurts :) Many thanks and sorry for the noise.
        Message 3 of 3 , Jul 27, 2014
          > Basic Perl user error. The string "@example" is interpreted as an
          > array expansion.

          You are so right.. And getting a "Basic Perl user error" response
          after 20+ years of using and loving Perl hurts :)

          Many thanks and sorry for the noise.
          chakl
        Your message has been successfully submitted and would be delivered to recipients shortly.