Patch status
Amir 'CG' Caspi
cepheid at 3phase.com
Tue Mar 12 14:17:56 EDT 2013
Hi all,
RHEL has closed the downstream bug (link below) as "WONTFIX"
because of their claim that these updates break compatibility with
various clients that rely on saslauthd. There are some suggestions
in that thread of a possible different implementation to the fix, but
basically, they're saying this has to be fixed on the cyrus/sasl side
and they won't include the existing patch as a fix.
They did make the (correct) comment that this should be fixed
for all auth mechanisms, not just auth_pam.
I know other people, besides just me, are interested in
getting this resolved... we're getting hit hard by spammers on our
SMTP server every day, and it would be enormously helpful to be able
to use fail2ban or some other firewall to block their access, but
without the rhost info, this is not possible.
Hopefully it's possible to come up with a more "global"
solution that would be acceptable to RHEL (and thus CentOS,
downstream).
Thanks!
--- Amir
At 6:26 PM +0100 10/16/2012, Alexey Melnikov wrote:
>Hi Amir,
>
>On 13/10/2012 02:55, Amir 'CG' Caspi wrote:
>>Speaking of more updates...
>>
>> This issue still hasn't been truly resolved:
>>http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2011-April/002233.html
>>
>> Lorenzo Catucci released a couple of patches to deal with this
>>but they were "rejected" by RHEL because they supposedly broke
>>compatibility with other utilities. From reading the latest
>>comments in the bug report
>>(https://bugzilla.redhat.com/show_bug.cgi?id=683797), especially
>>#16, it appears that this is because the patch causes saslauthd to
>>hang up if it doesn't receive rhost info, which it wouldn't from
>>utilities that haven't been modified to send it. Perhaps the patch
>>could be rewritten so that saslauthd doesn't _expect_ rhost, but
>>still allows it, so it won't hang up if not given that info.
>> Some later comments (notably #20) remark that this is an issue
>>with other auth schemes besides pam.
>
>I can apply the older patch (for 1.5.X, possibly updated), but my
>problem is that I can't really test it. If somebody is willing to
>try it out, I can attempt to fix this issue.
>
>> In any case, it would be awesome to have this updated at the
>>source (here), and to have it work - right now, without rhost
>>logging capability, DDoS banners like fail2ban can't use saslauthd
>>info (at least not with pam).
More information about the Cyrus-sasl
mailing list