Re: smtpd xclient and sasl

Matthew Via Wed, 28 Jan 2015 12:31:40 -0800

Thanks for the quick response.  I added the check with the outside if():

--- postfix-2.6.6-orig/src/smtpd/smtpd.c  2015-01-28 12:24:49.000000000 -0500
+++ postfix-2.6.6/src/smtpd/smtpd.c 2015-01-28 15:25:06.000000000 -0500
@@ -3592,8 +3592,18 @@ static int xclient_cmd(SMTPD_STATE *stat
  state->protocol = mystrdup(MAIL_PROTO_SMTP);
     }
 #ifdef USE_SASL_AUTH
-    if (smtpd_sasl_is_active(state))
+    if (smtpd_sasl_is_active(state)) {
  smtpd_sasl_auth_reset(state);
+    smtpd_sasl_deactivate(state);
+    }
+    if ((smtpd_sasl_is_active(state) == 0) && var_smtpd_sasl_enable) { 
+        if (state->tls_context == 0)
+            smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS, 
+                                var_smtpd_sasl_opts);
+        else
+            smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS, 
+                                var_smtpd_sasl_tls_opts);
+    }
 #endif
     chat_reset(state, 0);
     mail_reset(state);



..and..

--- postfix-2.11.3-orig/src/smtpd/smtpd.c 2015-01-28 13:02:48.494510734 -0500
+++ postfix-2.11.3/src/smtpd/smtpd.c  2015-01-28 15:30:12.548604676 -0500
@@ -3851,7 +3851,19 @@ static int xclient_cmd(SMTPD_STATE *stat
     }
 #ifdef USE_SASL_AUTH
     if (got_login == 0)
- smtpd_sasl_auth_reset(state);
+        smtpd_sasl_auth_reset(state);
+    if (smtpd_sasl_is_active(state)) {
+        smtpd_sasl_auth_reset(state);
+        smtpd_sasl_deactivate(state);
+    }
+    if ((smtpd_sasl_is_active(state) == 0) && var_smtpd_sasl_enable) {
+        if (state->tls_context == 0)
+            smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
+                                var_smtpd_sasl_opts);
+        else
+            smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
+                                var_smtpd_sasl_tls_opts);
+    }
 #endif
     chat_reset(state, 0);
     mail_reset(state);


Thanks, Matthew

On 15:08 Wed 28 Jan     , Wietse Venema wrote:
> Matthew Via:
> > We use postfix with dovecot as a sasl backend, and have run into a small
> > issue with the XCLIENT extension and SASL.  smtpd_sasl_activate is
> > called only upon the initial connection to smtpd, and that sets the sasl
> > structure to using the socket's remote ip address.  When XCLIENT is
> > used, a new ip address is specified but the sasl structure is not
> > updated.  The logic appears to be correct with the STARTTLS command, so
> > I applied similar logic to the XCLIENT command in postfix 2.6.6, since 
> > that is what we're using currently.
> 
> You need to guard the smtpd_sasl_activate() calls with 
> "if (smtpd_sasl_enable)".
> 
>       Wietse
> 
> > --- postfix-2.6.6-orig/src/smtpd/smtpd.c  2015-01-28 12:24:49.000000000 
> > -0500
> > +++ postfix-2.6.6/src/smtpd/smtpd.c 2015-01-28 12:30:30.000000000 -0500
> > @@ -3592,8 +3592,18 @@ static int xclient_cmd(SMTPD_STATE *stat
> >   state->protocol = mystrdup(MAIL_PROTO_SMTP);
> >      }
> >  #ifdef USE_SASL_AUTH
> > -    if (smtpd_sasl_is_active(state))
> > +    if (smtpd_sasl_is_active(state)) {
> >   smtpd_sasl_auth_reset(state);
> > +    smtpd_sasl_deactivate(state);
> > +    }
> > +    if (smtpd_sasl_is_active(state) == 0) { 
> > +        if (state->tls_context == 0)
> > +            smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS, 
> > +                                var_smtpd_sasl_opts);
> > +        else
> > +            smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS, 
> > +                                var_smtpd_sasl_tls_opts);
> > +    }
> >  #endif
> >      chat_reset(state, 0);
> >      mail_reset(state);
> > 
> > 
> > Does this look like the correct way to handle it? It does fix the issue
> > and dovecot logs the correct XCLIENT-provided address, for both TLS
> > and plain.
> > 
> > I moved this to the latest 2.11.3 for submission, but this probably 
> > needs to be fixed, I'm not 100% sure about the got_login logic, so 
> > I left it alone.
> > 
> > --- postfix-2.11.3-orig/src/smtpd/smtpd.c 2015-01-28 13:02:48.494510734 
> > -0500
> > +++ postfix-2.11.3/src/smtpd/smtpd.c  2015-01-28 13:48:32.050175395 -0500
> > @@ -3851,7 +3851,19 @@ static int xclient_cmd(SMTPD_STATE *stat
> >      }
> >  #ifdef USE_SASL_AUTH
> >      if (got_login == 0)
> > - smtpd_sasl_auth_reset(state);
> > +        smtpd_sasl_auth_reset(state);
> > +    if (smtpd_sasl_is_active(state)) {
> > +        smtpd_sasl_auth_reset(state);
> > +        smtpd_sasl_deactivate(state);
> > +    }
> > +    if (smtpd_sasl_is_active(state) == 0) {
> > +        if (state->tls_context == 0)
> > +            smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
> > +                                var_smtpd_sasl_opts);
> > +        else
> > +            smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
> > +                                var_smtpd_sasl_tls_opts);
> > +    }
> >  #endif
> >      chat_reset(state, 0);
> >      mail_reset(state);
> > 
> > 
> > Thank you,
> > Matthew
> -- End of PGP section, PGP failed!

pgpd_140TX0qc.pgp
Description: PGP signature

Re: smtpd xclient and sasl

Reply via email to