Re: changing PAM service name

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: changing PAM service name

Andreas Winkelmann
On Montag, 21. April 2008, [hidden email] wrote:

> I am right now using PAM authentication through saslauthd for SMTP
> authentication. Currently the PAM service name which postfix uses is
> "smtp". Is it possible to change this service name which is being sent to
> PAM via saslauthd?

Only with changing the Postfix Source-Code, this name is static in Postfix.

.../src/smtpd/smtpd_sasl_glue.c
...
/* smtpd_sasl_connect - per-connection initialization */

void    smtpd_sasl_connect(SMTPD_STATE *state, const char *sasl_opts_name,
                                   const char *sasl_opts_val)
{
...

    /*
     * Set up a new server context for this connection.
     */
#define SMTPD_SASL_SERVICE "smtp"

    if ((state->sasl_server =
         xsasl_server_create(smtpd_sasl_impl, state->client,
                             SMTPD_SASL_SERVICE, *var_smtpd_sasl_realm ?
                             var_smtpd_sasl_realm : (char *) 0,
                             sasl_opts_val)) == 0)
        msg_fatal("SASL per-connection initialization failed");

...


Change the "smtp" in the #define to what you need.

--
        Andreas
Reply | Threaded
Open this post in threaded view
|

Re: changing PAM service name

Victor Duchovni
On Tue, May 06, 2008 at 09:47:59PM +0200, Andreas Winkelmann wrote:

> On Montag, 21. April 2008, [hidden email] wrote:
>
> > I am right now using PAM authentication through saslauthd for SMTP
> > authentication. Currently the PAM service name which postfix uses is
> > "smtp". Is it possible to change this service name which is being sent to
> > PAM via saslauthd?
>
> Only with changing the Postfix Source-Code, this name is static in Postfix.
>
> .../src/smtpd/smtpd_sasl_glue.c
> ...
> /* smtpd_sasl_connect - per-connection initialization */
>
> void    smtpd_sasl_connect(SMTPD_STATE *state, const char *sasl_opts_name,
>                                    const char *sasl_opts_val)
> {
> ...
>
>     /*
>      * Set up a new server context for this connection.
>      */
> #define SMTPD_SASL_SERVICE "smtp"
>
>     if ((state->sasl_server =
>          xsasl_server_create(smtpd_sasl_impl, state->client,
>                              SMTPD_SASL_SERVICE, *var_smtpd_sasl_realm ?
>                              var_smtpd_sasl_realm : (char *) 0,
>                              sasl_opts_val)) == 0)
>         msg_fatal("SASL per-connection initialization failed");
>
>
> Change the "smtp" in the #define to what you need.

This may work for PAM, but may break GSSAPI, or other SASL mechanisms
where the service name has meaning on the wire and the client's choice
of service name may need to be consistent with the server's.

So if this is to change, it should not be hard-coded to a new value.
A new configuration parameter is likely required. Is there a compelling
use case for making this configurable?

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: changing PAM service name

Patrick Ben Koetter
* Victor Duchovni <[hidden email]>:
> >

...

> > Change the "smtp" in the #define to what you need.
>
> This may work for PAM, but may break GSSAPI, or other SASL mechanisms
> where the service name has meaning on the wire and the client's choice
> of service name may need to be consistent with the server's.
>
> So if this is to change, it should not be hard-coded to a new value.
> A new configuration parameter is likely required. Is there a compelling
> use case for making this configurable?

Both RFCs specify "smtp" as service name:

        The service name specified by this protocol's profile of SASL
        is "smtp".  -- RFC 2554 "SMTP Authentication"
        <http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=2554&type=http&file_format=txt>

        The service name specified by this protocol's profile of SASL is
        "smtp".  This service name is also to be used for the [SUBMIT]
        protocol. -- RFC 4954 "SMTP Service Extension for Authentication"
        <http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=4954&type=http&file_format=txt>

There's no MUST in there. Still, as I read it, we should not change it.

p@rick

--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: changing PAM service name

Victor Duchovni
On Tue, May 06, 2008 at 11:45:36PM +0200, Patrick Ben Koetter wrote:

> > So if this is to change, it should not be hard-coded to a new value.
> > A new configuration parameter is likely required. Is there a compelling
> > use case for making this configurable?
>
> Both RFCs specify "smtp" as service name:
>
>         The service name specified by this protocol's profile of SASL
>         is "smtp".  -- RFC 2554 "SMTP Authentication"
>         <http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=2554&type=http&file_format=txt>
>
>         The service name specified by this protocol's profile of SASL is
>         "smtp".  This service name is also to be used for the [SUBMIT]
>         protocol. -- RFC 4954 "SMTP Service Extension for Authentication"
>         <http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=4954&type=http&file_format=txt>
>

When client is doing GSSAPI auth to an MSA on port 587, is the
service name still "smtp" or should it now be "submission"? This may be
incompletely defined by the standards, or the standards may not reflect
actual practice...

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: changing PAM service name

Patrick Ben Koetter
* Victor Duchovni <[hidden email]>:

> On Tue, May 06, 2008 at 11:45:36PM +0200, Patrick Ben Koetter wrote:
>
> > > So if this is to change, it should not be hard-coded to a new value.
> > > A new configuration parameter is likely required. Is there a compelling
> > > use case for making this configurable?
> >
> > Both RFCs specify "smtp" as service name:
> >
> >         The service name specified by this protocol's profile of SASL
> >         is "smtp".  -- RFC 2554 "SMTP Authentication"
> >         <http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=2554&type=http&file_format=txt>
> >
> >         The service name specified by this protocol's profile of SASL is
> >         "smtp".  This service name is also to be used for the [SUBMIT]
> >         protocol. -- RFC 4954 "SMTP Service Extension for Authentication"
> >         <http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=4954&type=http&file_format=txt>
> >
>
> When client is doing GSSAPI auth to an MSA on port 587, is the
> service name still "smtp" or should it now be "submission"? This may be
> incompletely defined by the standards, or the standards may not reflect
> actual practice...

Reading through the RFCs I couldn't find any section that would elaborate on
that. I can try to contact Rob Siemborski or Alexey Melnikov on that. The are
quoted as editors of RFC 4954.

p@rick

--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: changing PAM service name

Victor Duchovni
On Wed, May 07, 2008 at 12:31:36AM +0200, Patrick Ben Koetter wrote:

> Reading through the RFCs I couldn't find any section that would elaborate on
> that. I can try to contact Rob Siemborski or Alexey Melnikov on that. The are
> quoted as editors of RFC 4954.
>

Section 4 (long), middle of Page 5:

    The service name specified by this protocol's profile of SASL is
    "smtp".  This service name is also to be used for the [SUBMIT]
    protocol.

so the service name is "smtp" regardless of the service port. Which in
practice means that the requested change is unwise.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.