question re. credential caching by saslauthd
Dan White
dwhite at olp.net
Sat Mar 2 21:55:51 EST 2013
On 03/02/13 21:26 -0500, Miles Fidelman wrote:
>Hi Folks,
>
>I just had a users' password compromised - with the result that a
>bunch of spam was sent through her email account. (Fixed by changing
>her password.)
>
>But, in the process, I had to learn a lot about how Postfix wires
>together with Cyrus SASL, and that in turn with PAM. I discovered
>something that confuses me, and I hope someone can help:
>
>- our system is set up to authenticate smtpd transactions via
>saslauthd (and then to pam_unix to the password db)
>
>- as soon as I changed the user's password, IMAP started failing
>authentication and the password had to be changed, BUT...
>
>- we could still SEND mail via smtpd using either
>username/newpassword or username/oldpassword
>
>- eventually this timed out and the old password stopped working
>
>Obviously the old password was being cached somewhere, and my
>assumption was in saslauthd's credentials cache - but that doesn't
>quite explain why the old password stopped working for one service
>(imap), but continued working for another (smtpd).
>
>Which leads to several questions:
>
>- what's going on being the obvious one - is this a Cyrus SASL
>behavior, or is there some caching going on elsewhere (i.e, by the
>postfix smtpd)?
>
>- what's the default setting for the cache timeout?
>
>- is there a way to flush the credentials cache?
See the manpage for saslauthd, specifically the '-c' and '-t' options.
The default timeout is:
saslauthd/cache.h:#define CACHE_DEFAULT_TIMEOUT 28800
Restarting saslauthd should flush its cache.
To better understand the scope of the problem, try trouble shooting with
imtest, smtptest, testsaslauthd (with '-s smtp', and '-s imap'), and
pamtester.
--
Dan White
More information about the Cyrus-sasl
mailing list