Re: Is the limitation on password text in a file for smtp_sasl_password_maps

Mon, 01 Apr 2019 07:00:52 -0700 

Hello,
** Wietse Venema [2019-03-29 10:06:14 -0400]:

> Vladimir Lomov:
>> Hello,
>>  
>> I faced with strange problem with my postfix configuration. I use the
>> postfix as SMTP client to send emails from my host. Recently I
>> changed the password on external email-server, updated file that
>> stores passwords and now I see SASL authentication failures in log. I
>> wonder is the limitation on password part in the file pointed by
>> smtp_sasl_password_maps?
>>  
>> This is password part of my postfix configuration:
>>  
>>     smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>>  
>> where sasl_passwd has following format:
>>  
>>     account@MAIL.SERVER   account:PASSWORD
>>  
>> The only restriction on PASSWORD that email-server puts is to avoid '
>> and ~ symbols, right now PASSWORD has any except these symbols, for
>> example it has symbols: ;:".
> 
> What is the output from:
> 
>       postmap -q account@MAIL.SERVER | od -cb

It outputs expected string (actually I had to use

    # postmap -q account@MAIL.SERVER /etc/postfix/sasl_passwd | ob -cb

> Does it show anything unexpected, or does it not show anything
> that you would expect to be in the output?
> 
>> I read the documentation but didn't find any restrictions on
>> PASSWORD part. Do I missed something?
> 
> When you create hash:/etc/postfix/sasl_passwd, the postmap command
> will
> - strip leading whitespace before 'account:password'
> - strip and trailing whitespace after 'account:password'
> - store text as null-terminated strings.
> 
> Therefore, the postmap command will not store leading whitespace in the 
> 'account'
> portion, will not store trailing whitespace in the 'password' portion, and 
> will
> not store text that follows a null byte.
> 
> The password lookup code splits the 'account:password' lookup result
> as follows:
> 
>         passwd = split_at(session->sasl_username, ':');
> 
> Where session->sasl_username initially contains the entire lookup result.
> The split_at() call consumes exactly one ':' character.
> 
> Therefore, there must be no ':' in the 'account' portion of the
> sasl_passwd lookup result. Otherwise, split_at() does not introduce
> any additional syntax restrictions on sasl_passwd syntax beyond
> those already introduced by the postmap command.

As I expected.

>       Wietse

Thank you. It turned out the problem was with MAIL server provider.

---
WBR, Vladimir Lomov

-- 
Every love's the love before
In a duller dress.
                -- Dorothy Parker, "Summary"

Attachment: signature.asc
Description: PGP signature

Reply via email to