Re: Patch status

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,
RHEL has closed the downstream bug (link below) as "WONTFIX" because of their claim that these updates break compatibility with various clients that rely on saslauthd. There are some suggestions in that thread of a possible different implementation to the fix, but basically, they're saying this has to be fixed on the cyrus/sasl side and they won't include the existing patch as a fix. They did make the (correct) comment that this should be fixed for all auth mechanisms, not just auth_pam.
I know other people, besides just me, are interested in getting this resolved... we're getting hit hard by spammers on our SMTP server every day, and it would be enormously helpful to be able to use fail2ban or some other firewall to block their access, but without the rhost info, this is not possible.
Hopefully it's possible to come up with a more "global" solution that would be acceptable to RHEL (and thus CentOS, downstream). 

Thanks!

						--- Amir

At 6:26 PM +0100 10/16/2012, Alexey Melnikov wrote:

Hi Amir,

On 13/10/2012 02:55, Amir 'CG' Caspi wrote:

Speaking of more updates...

    This issue still hasn't been truly resolved:
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2011-April/002233.html
Lorenzo Catucci released a couple of patches to deal with this but they were "rejected" by RHEL because they supposedly broke compatibility with other utilities. From reading the latest comments in the bug report (https://bugzilla.redhat.com/show_bug.cgi?id=683797), especially #16, it appears that this is because the patch causes saslauthd to hang up if it doesn't receive rhost info, which it wouldn't from utilities that haven't been modified to send it. Perhaps the patch could be rewritten so that saslauthd doesn't _expect_ rhost, but still allows it, so it won't hang up if not given that info. Some later comments (notably #20) remark that this is an issue with other auth schemes besides pam.
I can apply the older patch (for 1.5.X, possibly updated), but my problem is that I can't really test it. If somebody is willing to try it out, I can attempt to fix this issue.
In any case, it would be awesome to have this updated at the source (here), and to have it work - right now, without rhost logging capability, DDoS banners like fail2ban can't use saslauthd info (at least not with pam).
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux