Is the limitation on password text in a file for smtp_sasl_password_maps

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Is the limitation on password text in a file for smtp_sasl_password_maps

Vladimir Lomov
Hello,
 
I faced with strange problem with my postfix configuration. I use the postfix as SMTP client to send emails from my host. Recently I changed the password on external email-server, updated file that stores passwords and now I see SASL authentication failures in log. I wonder is the limitation on password part in the file pointed by smtp_sasl_password_maps?
 
This is password part of my postfix configuration:
 
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 
where sasl_passwd has following format:
 
    [hidden email]   account:PASSWORD
 
The only restriction on PASSWORD that email-server puts is to avoid ' and ~ symbols, right now PASSWORD has any except these symbols, for example it has symbols: ;:".

I read the documentation but didn't find any restrictions on PASSWORD part. Do I missed something?
 
---
WBR, Vladimir Lomov

Reply | Threaded
Open this post in threaded view
|

Re: Is the limitation on password text in a file for smtp_sasl_password_maps

Wietse Venema
Vladimir Lomov:

> Hello,
>  
> I faced with strange problem with my postfix configuration. I use the postfix as SMTP client to send emails from my host. Recently I changed the password on external email-server, updated file that stores passwords and now I see SASL authentication failures in log. I wonder is the limitation on password part in the file pointed by smtp_sasl_password_maps?
>  
> This is password part of my postfix configuration:
>  
>     smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>  
> where sasl_passwd has following format:
>  
>     [hidden email]   account:PASSWORD
>  
> The only restriction on PASSWORD that email-server puts is to avoid
> ' and ~ symbols, right now PASSWORD has any except these symbols,
> for example it has symbols: ;:".

What is the output from:

        postmap -q [hidden email] | od -cb

Does it show anything unexpected, or does it not show anything
that you would expect to be in the output?

> I read the documentation but didn't find any restrictions on
> PASSWORD part. Do I missed something?

When you create hash:/etc/postfix/sasl_passwd, the postmap command
will
- strip leading whitespace before 'account:password'
- strip and trailing whitespace after 'account:password'
- store text as null-terminated strings.

Therefore, the postmap command will not store leading whitespace in the 'account'
portion, will not store trailing whitespace in the 'password' portion, and will
not store text that follows a null byte.

The password lookup code splits the 'account:password' lookup result
as follows:

        passwd = split_at(session->sasl_username, ':');

Where session->sasl_username initially contains the entire lookup result.
The split_at() call consumes exactly one ':' character.

Therefore, there must be no ':' in the 'account' portion of the
sasl_passwd lookup result. Otherwise, split_at() does not introduce
any additional syntax restrictions on sasl_passwd syntax beyond
those already introduced by the postmap command.

        Wietse

Reply | Threaded
Open this post in threaded view
|

Re: Is the limitation on password text in a file for smtp_sasl_password_maps

Vladimir Lomov
Hello,
** Wietse Venema [2019-03-29 10:06:14 -0400]:

> Vladimir Lomov:
>> Hello,
>>  
>> I faced with strange problem with my postfix configuration. I use the
>> postfix as SMTP client to send emails from my host. Recently I
>> changed the password on external email-server, updated file that
>> stores passwords and now I see SASL authentication failures in log. I
>> wonder is the limitation on password part in the file pointed by
>> smtp_sasl_password_maps?
>>  
>> This is password part of my postfix configuration:
>>  
>>     smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>>  
>> where sasl_passwd has following format:
>>  
>>     [hidden email]   account:PASSWORD
>>  
>> The only restriction on PASSWORD that email-server puts is to avoid '
>> and ~ symbols, right now PASSWORD has any except these symbols, for
>> example it has symbols: ;:".
>
> What is the output from:
>
> postmap -q [hidden email] | od -cb
It outputs expected string (actually I had to use

    # postmap -q [hidden email] /etc/postfix/sasl_passwd | ob -cb

> Does it show anything unexpected, or does it not show anything
> that you would expect to be in the output?
>
>> I read the documentation but didn't find any restrictions on
>> PASSWORD part. Do I missed something?
>
> When you create hash:/etc/postfix/sasl_passwd, the postmap command
> will
> - strip leading whitespace before 'account:password'
> - strip and trailing whitespace after 'account:password'
> - store text as null-terminated strings.
>
> Therefore, the postmap command will not store leading whitespace in the 'account'
> portion, will not store trailing whitespace in the 'password' portion, and will
> not store text that follows a null byte.
>
> The password lookup code splits the 'account:password' lookup result
> as follows:
>
>         passwd = split_at(session->sasl_username, ':');
>
> Where session->sasl_username initially contains the entire lookup result.
> The split_at() call consumes exactly one ':' character.
>
> Therefore, there must be no ':' in the 'account' portion of the
> sasl_passwd lookup result. Otherwise, split_at() does not introduce
> any additional syntax restrictions on sasl_passwd syntax beyond
> those already introduced by the postmap command.
As I expected.

> Wietse

Thank you. It turned out the problem was with MAIL server provider.

---
WBR, Vladimir Lomov

--
Every love's the love before
In a duller dress.
                -- Dorothy Parker, "Summary"

signature.asc (235 bytes) Download Attachment