question re. credential caching by saslauthd

Miles Fidelman mfidelman at meetinghouse.net
Sat Mar 2 21:26:45 EST 2013


Hi Folks,

I just had a users' password compromised - with the result that a bunch 
of spam was sent through her email account.  (Fixed by changing her 
password.)

But, in the process, I had to learn a lot about how Postfix wires 
together with Cyrus SASL, and that in turn with PAM.  I discovered 
something that confuses me, and I hope someone can help:

- our system is set up to authenticate smtpd transactions via saslauthd 
(and then to pam_unix to the password db)

- as soon as I changed the user's password, IMAP started failing 
authentication and the password had to be changed, BUT...

- we could still SEND mail via smtpd using either username/newpassword 
or username/oldpassword

- eventually this timed out and the old password stopped working

Obviously the old password was being cached somewhere, and my assumption 
was in saslauthd's credentials cache - but that doesn't quite explain 
why the old password stopped working for one service (imap), but 
continued working for another (smtpd).

Which leads to several questions:

- what's going on being the obvious one - is this a Cyrus SASL behavior, 
or is there some caching going on elsewhere (i.e, by the postfix smtpd)?

- what's the default setting for the cache timeout?

- is there a way to flush the credentials cache?

Thanks very much,

Miles Fidelman

-- 
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra



More information about the Cyrus-sasl mailing list