Victor Duchovni:
> On Thu, May 28, 2009 at 04:02:37PM +0800, Norbert P. Copones wrote:
>
> > this setting is fine in 2.5 and it guarantees that smtp auth
> > only operates in tls. this also prevents user at my domain
> > from spoofing as it requires authentication.
> >
> > however, a change in 2.6 in sasl broke this setup.
> >
> > using the config above, the following warning will occur since sasl
> > will only activate during tls.
> >
> > warning: restriction 'reject_authenticated_sender_sender_login_mismatch'
> > ignored: no SASL support
> > warning: restriction 'reject_unauthenticated_sender_sender_login_mismatch'
> > ignored: no SASL support
> >
> >
> > my workaround for this is to disable smtpd_tls_auth_only but this
> > also let user authenticate in plain-text mode.
> >
> > any other workarounds?
>
> Try this patch:
>
> Index: src/smtpd/smtpd_check.c
> --- src/smtpd/smtpd_check.c 28 Apr 2009 22:03:36 -0000 1.1.1.13
> +++ src/smtpd/smtpd_check.c 28 May 2009 08:49:06 -0000
> @@ -3314,7 +3314,8 @@
> * Reject if the client is not logged in and the sender address has an
> * owner.
> */
> - if (smtpd_sasl_is_active(state) && state->sasl_username == 0) {
> + if (!smtpd_sasl_is_active(state)
> + || (smtpd_sasl_is_active(state) && state->sasl_username == 0)) {
> reply = smtpd_resolve_addr(sender);
> if (reply->flags & RESOLVE_FLAG_FAIL)
> reject_dict_retry(state, sender);
I prefer to stay closer to the original semantics; don't touch
uninitialized SASL-related data and don't call SASL-related functions
while SASL is not activated.
Wietse
Postfix 2.5:
if (var_smtpd_sasl_enable && state->sasl_username == 0) {
Postfix 2.6:
if (var_smtpd_sasl_enable
&& (smtpd_sasl_is_active(state) == 0 || state->sasl_username == 0)) {
> @@ -3766,7 +3767,7 @@
> state->sender, SMTPD_NAME_SENDER);
> } else if (strcasecmp(name, REJECT_AUTH_SENDER_LOGIN_MISMATCH) == 0) {
> #ifdef USE_SASL_AUTH
> - if (smtpd_sasl_is_active(state)) {
> + if (var_smtpd_sasl_enable) {
> if (state->sender && *state->sender)
> status = reject_auth_sender_login_mismatch(state,
> state->sender);
> } else
Postfix 2.5:
if (var_smtpd_sasl_enable) {
if (state->sender && *state->sender)
status = reject_auth_sender_login_mismatch(state, state->sen
Postfix 2.6:
if (var_smtpd_sasl_enable) {
if (smtpd_sasl_is_active(state)
&& state->sender && *state->sender)
status = reject_auth_sender_login_mismatch(state, state->sen
> @@ -3774,7 +3775,7 @@
> msg_warn("restriction `%s' ignored: no SASL support", name);
> } else if (strcasecmp(name, REJECT_UNAUTH_SENDER_LOGIN_MISMATCH) == 0) {
> #ifdef USE_SASL_AUTH
> - if (smtpd_sasl_is_active(state)) {
> + if (var_smtpd_sasl_enable) {
> if (state->sender && *state->sender)
> status = reject_unauth_sender_login_mismatch(state,
> state->sender);
> } else
Postfix 2.5:
if (var_smtpd_sasl_enable) {
if (state->sender && *state->sender)
status = reject_auth_sender_login_mismatch(state, state->sen
Postfix 2.6:
if (var_smtpd_sasl_enable) {
if (smtpd_sasl_is_active(state)
&& state->sender && *state->sender)
status = reject_auth_sender_login_mismatch(state, state->sen
> --
> Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> <mailto:[email protected]?body=unsubscribe%20postfix-users>
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>
>
