Matthew Via:
> Thanks for the quick response. I added the check with the outside if():
I see. The code indentation threw me off.
I think this can simplify to:
if (smtpd_sasl_is_active(state)) {
smtpd_sasl_auth_reset(state);
smtpd_sasl_deactivate(state);
if (state->tls_context == 0)
smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
var_smtpd_sasl_opts);
else
smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
var_smtpd_sasl_tls_opts);
}
That is, if the SASL client was activated then we update it,
and otherwise we don't bother (don't wake up sleeping dogs).
The choice of SASL security options is unclear. If TLS is turned
on, then it was turned on by the XCLIENT proxy. We don't know if
it is safe for the remote SMTP client to send its passwords in
plaintext.
Wietse
> --- postfix-2.6.6-orig/src/smtpd/smtpd.c 2015-01-28 12:24:49.000000000 -0500
> +++ postfix-2.6.6/src/smtpd/smtpd.c 2015-01-28 15:25:06.000000000 -0500
> @@ -3592,8 +3592,18 @@ static int xclient_cmd(SMTPD_STATE *stat
> state->protocol = mystrdup(MAIL_PROTO_SMTP);
> }
> #ifdef USE_SASL_AUTH
> - if (smtpd_sasl_is_active(state))
> + if (smtpd_sasl_is_active(state)) {
> smtpd_sasl_auth_reset(state);
> + smtpd_sasl_deactivate(state);
> + }
> + if ((smtpd_sasl_is_active(state) == 0) && var_smtpd_sasl_enable) {
> + if (state->tls_context == 0)
> + smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
> + var_smtpd_sasl_opts);
> + else
> + smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
> + var_smtpd_sasl_tls_opts);
> + }
> #endif
> chat_reset(state, 0);
> mail_reset(state);
>
>
> ..and..
>
> --- postfix-2.11.3-orig/src/smtpd/smtpd.c 2015-01-28 13:02:48.494510734 -0500
> +++ postfix-2.11.3/src/smtpd/smtpd.c 2015-01-28 15:30:12.548604676 -0500
> @@ -3851,7 +3851,19 @@ static int xclient_cmd(SMTPD_STATE *stat
> }
> #ifdef USE_SASL_AUTH
> if (got_login == 0)
> - smtpd_sasl_auth_reset(state);
> + smtpd_sasl_auth_reset(state);
> + if (smtpd_sasl_is_active(state)) {
> + smtpd_sasl_auth_reset(state);
> + smtpd_sasl_deactivate(state);
> + }
> + if ((smtpd_sasl_is_active(state) == 0) && var_smtpd_sasl_enable) {
> + if (state->tls_context == 0)
> + smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
> + var_smtpd_sasl_opts);
> + else
> + smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
> + var_smtpd_sasl_tls_opts);
> + }
> #endif
> chat_reset(state, 0);
> mail_reset(state);
>
>
> Thanks, Matthew
>
> On 15:08 Wed 28 Jan , Wietse Venema wrote:
> > Matthew Via:
> > > We use postfix with dovecot as a sasl backend, and have run into a small
> > > issue with the XCLIENT extension and SASL. smtpd_sasl_activate is
> > > called only upon the initial connection to smtpd, and that sets the sasl
> > > structure to using the socket's remote ip address. When XCLIENT is
> > > used, a new ip address is specified but the sasl structure is not
> > > updated. The logic appears to be correct with the STARTTLS command, so
> > > I applied similar logic to the XCLIENT command in postfix 2.6.6, since
> > > that is what we're using currently.
> >
> > You need to guard the smtpd_sasl_activate() calls with
> > "if (smtpd_sasl_enable)".
> >
> > Wietse
> >
> > > --- postfix-2.6.6-orig/src/smtpd/smtpd.c 2015-01-28 12:24:49.000000000
> > > -0500
> > > +++ postfix-2.6.6/src/smtpd/smtpd.c 2015-01-28 12:30:30.000000000 -0500
> > > @@ -3592,8 +3592,18 @@ static int xclient_cmd(SMTPD_STATE *stat
> > > state->protocol = mystrdup(MAIL_PROTO_SMTP);
> > > }
> > > #ifdef USE_SASL_AUTH
> > > - if (smtpd_sasl_is_active(state))
> > > + if (smtpd_sasl_is_active(state)) {
> > > smtpd_sasl_auth_reset(state);
> > > + smtpd_sasl_deactivate(state);
> > > + }
> > > + if (smtpd_sasl_is_active(state) == 0) {
> > > + if (state->tls_context == 0)
> > > + smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
> > > + var_smtpd_sasl_opts);
> > > + else
> > > + smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
> > > + var_smtpd_sasl_tls_opts);
> > > + }
> > > #endif
> > > chat_reset(state, 0);
> > > mail_reset(state);
> > >
> > >
> > > Does this look like the correct way to handle it? It does fix the issue
> > > and dovecot logs the correct XCLIENT-provided address, for both TLS
> > > and plain.
> > >
> > > I moved this to the latest 2.11.3 for submission, but this probably
> > > needs to be fixed, I'm not 100% sure about the got_login logic, so
> > > I left it alone.
> > >
> > > --- postfix-2.11.3-orig/src/smtpd/smtpd.c 2015-01-28 13:02:48.494510734
> > > -0500
> > > +++ postfix-2.11.3/src/smtpd/smtpd.c 2015-01-28 13:48:32.050175395 -0500
> > > @@ -3851,7 +3851,19 @@ static int xclient_cmd(SMTPD_STATE *stat
> > > }
> > > #ifdef USE_SASL_AUTH
> > > if (got_login == 0)
> > > - smtpd_sasl_auth_reset(state);
> > > + smtpd_sasl_auth_reset(state);
> > > + if (smtpd_sasl_is_active(state)) {
> > > + smtpd_sasl_auth_reset(state);
> > > + smtpd_sasl_deactivate(state);
> > > + }
> > > + if (smtpd_sasl_is_active(state) == 0) {
> > > + if (state->tls_context == 0)
> > > + smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
> > > + var_smtpd_sasl_opts);
> > > + else
> > > + smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
> > > + var_smtpd_sasl_tls_opts);
> > > + }
> > > #endif
> > > chat_reset(state, 0);
> > > mail_reset(state);
> > >
> > >
> > > Thank you,
> > > Matthew
> > -- End of PGP section, PGP failed!
-- End of PGP section, PGP failed!
