Use the -t parameter on your saslauthd invocation to set the number of seconds to cache authentications. E.g. on Redhat derivatives use FLAGS="-t 1" in /etc/sysconfig/saslauthd.
Bart... -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Patrick Ben Koetter Sent: 03 March 2013 08:13 To: [email protected] Subject: Re: question re. sasl authentication * Miles Fidelman <[email protected]>: > Hi Folks, > > I just had a users' password compromised - with the result that a > bunch of spam was sent through her account. (Fixed by changing her > password.) > > But, in the process, I had to learn a lot about how Postfix wires > together with Cyrus SASL, and that in turn with PAM. I discovered > something that confuses me, and I hope someone can help: > > - our system is set up to authenticate smtpd transactions via > saslauthd (and then to pam_unix to the password db) > > - as soon as I changed the user's password, IMAP started failing > authentication and the password had to be changed, BUT... > > - we could still SEND mail via smtpd using either username/newpassword > or username/oldpassword saslauthd may use a cache. Maybe the cache was active and saslauthd didn't notice the old pass had been changed. > - eventually this timed out and the old password stopped working The cache expired. > - obviously the old password was being cached somewhere, my assumption > being in the saslauthd credentials cache, BUT, that doesn't explain > why smtpd continued to accept the old password for a while smptd is 'dumb' in terms of authentication. It doesn't authenticate itself, but completely relues on Cyrus SASL to take care of that. > Which leads to several questions: > > - the general one: anybody know what's going on? > > - is postfix doing some of its own authentication caching (as > suggested by the variable smtp_sasl_auth_cache_time) It will for the smtp SMTP client, but not for the smtpd SMTPD server. All options that start with smtp_ apply to the smtp_-client. > - and most important: is there a way to flush the cache? Restart saslauthd? p@rick -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
