* Miles Fidelman <[email protected]>: > Hi Folks, > > I just had a users' password compromised - with the result that a > bunch of spam was sent through her account. (Fixed by changing her > password.) > > But, in the process, I had to learn a lot about how Postfix wires > together with Cyrus SASL, and that in turn with PAM. I discovered > something that confuses me, and I hope someone can help: > > - our system is set up to authenticate smtpd transactions via > saslauthd (and then to pam_unix to the password db) > > - as soon as I changed the user's password, IMAP started failing > authentication and the password had to be changed, BUT... > > - we could still SEND mail via smtpd using either > username/newpassword or username/oldpassword
saslauthd may use a cache. Maybe the cache was active and saslauthd didn't notice the old pass had been changed. > - eventually this timed out and the old password stopped working The cache expired. > - obviously the old password was being cached somewhere, my > assumption being in the saslauthd credentials cache, BUT, that > doesn't explain why smtpd continued to accept the old password for a > while smptd is 'dumb' in terms of authentication. It doesn't authenticate itself, but completely relues on Cyrus SASL to take care of that. > Which leads to several questions: > > - the general one: anybody know what's going on? > > - is postfix doing some of its own authentication caching (as > suggested by the variable smtp_sasl_auth_cache_time) It will for the smtp SMTP client, but not for the smtpd SMTPD server. All options that start with smtp_ apply to the smtp_-client. > - and most important: is there a way to flush the cache? Restart saslauthd? p@rick -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
