smtpd xclient and sasl

Matthew Via Wed, 28 Jan 2015 11:32:43 -0800

We use postfix with dovecot as a sasl backend, and have run into a small
issue with the XCLIENT extension and SASL.  smtpd_sasl_activate is
called only upon the initial connection to smtpd, and that sets the sasl
structure to using the socket's remote ip address.  When XCLIENT is
used, a new ip address is specified but the sasl structure is not
updated.  The logic appears to be correct with the STARTTLS command, so
I applied similar logic to the XCLIENT command in postfix 2.6.6, since 
that is what we're using currently.


--- postfix-2.6.6-orig/src/smtpd/smtpd.c  2015-01-28 12:24:49.000000000 -0500
+++ postfix-2.6.6/src/smtpd/smtpd.c 2015-01-28 12:30:30.000000000 -0500
@@ -3592,8 +3592,18 @@ static int xclient_cmd(SMTPD_STATE *stat
  state->protocol = mystrdup(MAIL_PROTO_SMTP);
     }
 #ifdef USE_SASL_AUTH
-    if (smtpd_sasl_is_active(state))
+    if (smtpd_sasl_is_active(state)) {
  smtpd_sasl_auth_reset(state);
+    smtpd_sasl_deactivate(state);
+    }
+    if (smtpd_sasl_is_active(state) == 0) { 
+        if (state->tls_context == 0)
+            smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS, 
+                                var_smtpd_sasl_opts);
+        else
+            smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS, 
+                                var_smtpd_sasl_tls_opts);
+    }
 #endif
     chat_reset(state, 0);
     mail_reset(state);


Does this look like the correct way to handle it? It does fix the issue
and dovecot logs the correct XCLIENT-provided address, for both TLS
and plain.

I moved this to the latest 2.11.3 for submission, but this probably 
needs to be fixed, I'm not 100% sure about the got_login logic, so 
I left it alone.

--- postfix-2.11.3-orig/src/smtpd/smtpd.c 2015-01-28 13:02:48.494510734 -0500
+++ postfix-2.11.3/src/smtpd/smtpd.c  2015-01-28 13:48:32.050175395 -0500
@@ -3851,7 +3851,19 @@ static int xclient_cmd(SMTPD_STATE *stat
     }
 #ifdef USE_SASL_AUTH
     if (got_login == 0)
- smtpd_sasl_auth_reset(state);
+        smtpd_sasl_auth_reset(state);
+    if (smtpd_sasl_is_active(state)) {
+        smtpd_sasl_auth_reset(state);
+        smtpd_sasl_deactivate(state);
+    }
+    if (smtpd_sasl_is_active(state) == 0) {
+        if (state->tls_context == 0)
+            smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
+                                var_smtpd_sasl_opts);
+        else
+            smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
+                                var_smtpd_sasl_tls_opts);
+    }
 #endif
     chat_reset(state, 0);
     mail_reset(state);


Thank you,
Matthew

pgpNbTSiBdeI3.pgp
Description: PGP signature

smtpd xclient and sasl

Reply via email to