Patch status

Amir 'CG' Caspi cepheid at 3phase.com
Tue Mar 12 14:17:56 EDT 2013 

Hi all,

	RHEL has closed the downstream bug (link below) as "WONTFIX" 
because of their claim that these updates break compatibility with 
various clients that rely on saslauthd.  There are some suggestions 
in that thread of a possible different implementation to the fix, but 
basically, they're saying this has to be fixed on the cyrus/sasl side 
and they won't include the existing patch as a fix.
	They did make the (correct) comment that this should be fixed 
for all auth mechanisms, not just auth_pam.

	I know other people, besides just me, are interested in 
getting this resolved... we're getting hit hard by spammers on our 
SMTP server every day, and it would be enormously helpful to be able 
to use fail2ban or some other firewall to block their access, but 
without the rhost info, this is not possible.

	Hopefully it's possible to come up with a more "global" 
solution that would be acceptable to RHEL (and thus CentOS, 
downstream).

Thanks!

						--- Amir

At 6:26 PM +0100 10/16/2012, Alexey Melnikov wrote:
>Hi Amir,
>
>On 13/10/2012 02:55, Amir 'CG' Caspi wrote:
>>Speaking of more updates...
>>
>>     This issue still hasn't been truly resolved:
>>http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2011-April/002233.html
>>
>>     Lorenzo Catucci released a couple of patches to deal with this 
>>but they were "rejected" by RHEL because they supposedly broke 
>>compatibility with other utilities.  From reading the latest 
>>comments in the bug report 
>>(https://bugzilla.redhat.com/show_bug.cgi?id=683797), especially 
>>#16, it appears that this is because the patch causes saslauthd to 
>>hang up if it doesn't receive rhost info, which it wouldn't from 
>>utilities that haven't been modified to send it.  Perhaps the patch 
>>could be rewritten so that saslauthd doesn't _expect_ rhost, but 
>>still allows it, so it won't hang up if not given that info.
>>     Some later comments (notably #20) remark that this is an issue 
>>with other auth schemes besides pam.
>
>I can apply the older patch (for 1.5.X, possibly updated), but my 
>problem is that I can't really test it. If somebody is willing to 
>try it out, I can attempt to fix this issue.
>
>>     In any case, it would be awesome to have this updated at the 
>>source (here), and to have it work - right now, without rhost 
>>logging capability, DDoS banners like fail2ban can't use saslauthd 
>>info (at least not with pam).

More information about the Cyrus-sasl mailing list