question re. credential caching by saslauthd
Miles Fidelman
mfidelman at meetinghouse.net
Sat Mar 2 21:26:45 EST 2013
Hi Folks,
I just had a users' password compromised - with the result that a bunch
of spam was sent through her email account. (Fixed by changing her
password.)
But, in the process, I had to learn a lot about how Postfix wires
together with Cyrus SASL, and that in turn with PAM. I discovered
something that confuses me, and I hope someone can help:
- our system is set up to authenticate smtpd transactions via saslauthd
(and then to pam_unix to the password db)
- as soon as I changed the user's password, IMAP started failing
authentication and the password had to be changed, BUT...
- we could still SEND mail via smtpd using either username/newpassword
or username/oldpassword
- eventually this timed out and the old password stopped working
Obviously the old password was being cached somewhere, and my assumption
was in saslauthd's credentials cache - but that doesn't quite explain
why the old password stopped working for one service (imap), but
continued working for another (smtpd).
Which leads to several questions:
- what's going on being the obvious one - is this a Cyrus SASL behavior,
or is there some caching going on elsewhere (i.e, by the postfix smtpd)?
- what's the default setting for the cache timeout?
- is there a way to flush the credentials cache?
Thanks very much,
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
More information about the Cyrus-sasl
mailing list