<HTML dir="ltr">
<HEAD><!-- Template generated by Exclaimer Mail Disclaimers on 04:10:24 Friday, 26 August 2011 -->
<STYLE type=text/css>P.83a3ae21-bd4c-4ef4-a29b-f2b9263f41c7 {
MARGIN: 0cm 0cm 0pt
}
LI.83a3ae21-bd4c-4ef4-a29b-f2b9263f41c7 {
MARGIN: 0cm 0cm 0pt
}
DIV.83a3ae21-bd4c-4ef4-a29b-f2b9263f41c7 {
MARGIN: 0cm 0cm 0pt
}
TABLE.83a3ae21-bd4c-4ef4-a29b-f2b9263f41c7Table {
MARGIN: 0cm 0cm 0pt
}
DIV.Section1 {
page: Section1
}
</STYLE>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
</HEAD>
<BODY ocsi="0" fpstyle="1">
<P class=83a3ae21-bd4c-4ef4-a29b-f2b9263f41c7>
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Hi All<br />
<br />
I have found an issue with saslauthd, it appears to let a user authenticate with any password if the users password is blank in the /etc/shadow file on the smtp service.<br />
<br />
Environment:<br />
<br />
Opensuse 11.4<br />
rpm -qa cyrus-sasl<br />
cyrus-sasl-2.1.23-15.1.x86_64<br />
<br />
#/etc/sysconfig/saslauthd<br />
SASLAUTHD_AUTHMECH=shadow<br />
<br />
# id sasltest<br />
uid=1001(sasltest) gid=100(users) groups=33(video),100(users)<br />
<br />
<br />
# testsaslauthd -u sasltest -p test -s smtp<br />
0: OK "Success."<br />
<br />
# testsaslauthd -u sasltest -p wrongtest -s smtp<br />
0: NO "authentication failed"<br />
<br />
# grep sasltest /etc/shadow<br />
sasltest:$2y$10$RlSnCi99SDDFguMNk.rhcurpXphwm.NA9121vnVFi5RqzgmruFKye:15212:0:99999:7:::<br />
<br />
Now if I remove the password in the shadow file.<br />
<br />
# grep sasltest /etc/shadow<br />
sasltest::15212:0:99999:7:::<br />
<br />
# testsaslauthd -u sasltest -p test -s smtp<br />
0: OK "Success."<br />
<br />
# testsaslauthd -u sasltest -p wrongtest -s smtp<br />
0: OK "Success."<br />
<br />
# testsaslauthd -u sasltest -p icanputanythingIwanthere -s smtp<br />
0: OK "Success."<br />
<br />
Is this the expected result when using shadow as the auth mech ?<br />
<br />
I know the solution is not to use blank passwords, but I would expect it to fail because you supplied a password when it does not have one or not allow a blank password. Recently had a customer being used as a spam relay because of this. I have already explained
that blank passwords are a bad idea.<br />
<br />
Regards<br />
Grant</div>
</P>
<P class=83a3ae21-bd4c-4ef4-a29b-f2b9263f41c7> </P>
<P class=83a3ae21-bd4c-4ef4-a29b-f2b9263f41c7>
<TABLE border=0 cellPadding=0 width=504>
<TBODY>
<TR>
<TD style="WIDTH: 270px" class=LEFT_ALIGNED>Grant Delaney<BR />Linux Administrator III</TD>
<TD style="WIDTH: 281px"><IMG alt="experience Fanatical Support" align=right src="cid:imagef8af27.JPG@ff4e77fc.4aa5c8f7" width=159 height=17 /></TD></TR>
<TR class=LEFT_ALIGNED>
<TD colSpan=2><IMG alt=LINE src="cid:image589d03.JPG@51ee982f.4ca8fbd3" width=504 height=4 /></TD></TR>
<TR>
<TD class=CONTACTINFO><table class=83a3ae21-bd4c-4ef4-a29b-f2b9263f41c7Table><tr><td>Tel: </td><td>+442087342500</td></tr><tr><td>Fax: </td><td>+44 20 8606 6110</td></tr><tr><td>Web:</td><td><a href='www.rackspace.co.ukhttp://www.rackspace.co.uk' title='' target=''>www.rackspace.co.uk</a></td></tr></table></TD>
<TD class=RIGHT_ALIGNED rowSpan=2><IMG alt=Rackspace src="cid:image40c8b5.JPG@dbaad1e6.4dba6b45" width=280 height=74 /></TD></TR>
<TR class=LEFT_ALIGNED>
<TD class=CONTACTINFO>
<P><A href="http://www.twitter.com/rackspaceemea/"><IMG alt="Follow us on twitter" src="cid:imageb806e4.JPG@d174b8f8.469837cb" width=146 height=20 /></A></P></TD></TR>
<TR class=LEFT_ALIGNED>
<TD class=CONTACTINFO colSpan=2><IMG src="cid:image48ea41.JPG@8516b232.48949329" width=504 height=3 /></TD></TR></TBODY></TABLE></P>
<P class=83a3ae21-bd4c-4ef4-a29b-f2b9263f41c7> </P>
<P class=83a3ae21-bd4c-4ef4-a29b-f2b9263f41c7></P><font face="monospace">Rackspace Limited, Unit 5, Millington Road, Hayes, UB3 4AZ | Company No. 03897010<br>
<br>
Confidentiality Notice: This e-mail message (including any attached or<br>
embedded documents) is intended for the exclusive and confidential use of the<br>
individual or entity to which this message is addressed, and unless otherwise<br>
expressly indicated, is confidential and privileged information of Rackspace.<br>
Any dissemination, distribution or copying of the enclosed material is prohibited.<br>
If you receive this transmission in error, please notify us immediately by e-mail<br>
at abuse@rackspace.com, and delete the original message.<br>
Your cooperation is appreciated.<br>
</font><font face="monospace">This email may include confidential information. If you received it in error, please delete it.</font></BODY>
</HTML>