Hi All I have found an issue with saslauthd, it appears to let a user authenticate with any password if the users password is blank in the /etc/shadow file on the smtp service.
Environment: Opensuse 11.4 rpm -qa cyrus-sasl cyrus-sasl-2.1.23-15.1.x86_64 #/etc/sysconfig/saslauthd SASLAUTHD_AUTHMECH=shadow # id sasltest uid=1001(sasltest) gid=100(users) groups=33(video),100(users) # testsaslauthd -u sasltest -p test -s smtp 0: OK "Success." # testsaslauthd -u sasltest -p wrongtest -s smtp 0: NO "authentication failed" # grep sasltest /etc/shadow sasltest:$2y$10$RlSnCi99SDDFguMNk.rhcurpXphwm.NA9121vnVFi5RqzgmruFKye:15212:0:99999:7::: Now if I remove the password in the shadow file. # grep sasltest /etc/shadow sasltest::15212:0:99999:7::: # testsaslauthd -u sasltest -p test -s smtp 0: OK "Success." # testsaslauthd -u sasltest -p wrongtest -s smtp 0: OK "Success." # testsaslauthd -u sasltest -p icanputanythingIwanthere -s smtp 0: OK "Success." Is this the expected result when using shadow as the auth mech ? I know the solution is not to use blank passwords, but I would expect it to fail because you supplied a password when it does not have one or not allow a blank password. Recently had a customer being used as a spam relay because of this. I have already explained that blank passwords are a bad idea. Regards Grant Grant Delaney Linux Administrator III [experience Fanatical Support] Tel: +442087342500 Fax: +44 20 8606 6110 Web: www.rackspace.co.uk<www.rackspace.co.ukhttp://www.rackspace.co.uk> [Rackspace] [Follow us on twitter]<http://www.twitter.com/rackspaceemea/> Rackspace Limited, Unit 5, Millington Road, Hayes, UB3 4AZ | Company No. 03897010 Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at ab...@rackspace.com, and delete the original message. Your cooperation is appreciated. This email may include confidential information. If you received it in error, please delete it.
<<inline: imagef8af27.JPG>>
<<inline: image589d03.JPG>>
<<inline: image40c8b5.JPG>>
<<inline: imageb806e4.JPG>>
<<inline: image48ea41.JPG>>
