On 03/02/13 21:26 -0500, Miles Fidelman wrote:
Hi Folks,
I just had a users' password compromised - with the result that a
bunch of spam was sent through her email account. (Fixed by changing
her password.)
But, in the process, I had to learn a lot about how Postfix wires
together with Cyrus SASL, and that in turn with PAM. I discovered
something that confuses me, and I hope someone can help:
- our system is set up to authenticate smtpd transactions via
saslauthd (and then to pam_unix to the password db)
- as soon as I changed the user's password, IMAP started failing
authentication and the password had to be changed, BUT...
- we could still SEND mail via smtpd using either
username/newpassword or username/oldpassword
- eventually this timed out and the old password stopped working
Obviously the old password was being cached somewhere, and my
assumption was in saslauthd's credentials cache - but that doesn't
quite explain why the old password stopped working for one service
(imap), but continued working for another (smtpd).
Which leads to several questions:
- what's going on being the obvious one - is this a Cyrus SASL
behavior, or is there some caching going on elsewhere (i.e, by the
postfix smtpd)?
- what's the default setting for the cache timeout?
- is there a way to flush the credentials cache?
See the manpage for saslauthd, specifically the '-c' and '-t' options.
The default timeout is:
saslauthd/cache.h:#define CACHE_DEFAULT_TIMEOUT 28800
Restarting saslauthd should flush its cache.
To better understand the scope of the problem, try trouble shooting with
imtest, smtptest, testsaslauthd (with '-s smtp', and '-s imap'), and
pamtester.
--
Dan White
