SASL auth cache?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

SASL auth cache?

Tom Sommer
Hi all

I just observed Postfix not picking up changes in the SASL auth backend,
is there some kind of cache involved here? I had to restart postfix in
order for it to see that a (spamming) SASL account no-longer existed,
even though the Dovecot auth-backend was aware of this.

Thanks.
--
Tom
Reply | Threaded
Open this post in threaded view
|

Re: SASL auth cache?

Wietse Venema
Tom Sommer:
> Hi all
>
> I just observed Postfix not picking up changes in the SASL auth backend,
> is there some kind of cache involved here?

There is no such thing in Postfix. Also not in the Postfix Dovcecot client.

        Wietse

> I had to restart postfix in
> order for it to see that a (spamming) SASL account no-longer existed,
> even though the Dovecot auth-backend was aware of this.
>
> Thanks.
> --
> Tom
>
Reply | Threaded
Open this post in threaded view
|

Re: SASL auth cache?

Tom Sommer


On 2021-01-17 14:22, Wietse Venema wrote:
> Tom Sommer:
>> Hi all
>>
>> I just observed Postfix not picking up changes in the SASL auth
>> backend,
>> is there some kind of cache involved here?
>
> There is no such thing in Postfix. Also not in the Postfix Dovcecot
> client.

Curious, and it couldn't be connection cache/reuse or something?

---
Tom
Reply | Threaded
Open this post in threaded view
|

Re: SASL auth cache?

Christian Kivalo


On January 17, 2021 2:32:49 PM GMT+01:00, Tom Sommer <[hidden email]> wrote:

>
>
>On 2021-01-17 14:22, Wietse Venema wrote:
>> Tom Sommer:
>>> Hi all
>>>
>>> I just observed Postfix not picking up changes in the SASL auth
>>> backend,
>>> is there some kind of cache involved here?
>>
>> There is no such thing in Postfix. Also not in the Postfix Dovcecot
>> client.
>
>Curious, and it couldn't be connection cache/reuse or something?
Could it have been an authenticated, still open connection that got closed as postfix was restarted?
>---
>Tom

--
Christian Kivalo
Reply | Threaded
Open this post in threaded view
|

Re: SASL auth cache?

Wietse Venema
In reply to this post by Tom Sommer
Tom Sommer:

>
>
> On 2021-01-17 14:22, Wietse Venema wrote:
> > Tom Sommer:
> >> Hi all
> >>
> >> I just observed Postfix not picking up changes in the SASL auth
> >> backend,
> >> is there some kind of cache involved here?
> >
> > There is no such thing in Postfix. Also not in the Postfix Dovcecot
> > client.
>
> Curious, and it couldn't be connection cache/reuse or something?

Your Postfix SMTP server logs would contain one smtpd 'connect'
event with multiple smtpd "QUEUEID: client=name[address]" events.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: SASL auth cache?

Tom Sommer
On 2021-01-17 17:29, Wietse Venema wrote:

>> On 2021-01-17 14:22, Wietse Venema wrote:
>> >> I just observed Postfix not picking up changes in the SASL auth
>> >> backend,
>> >> is there some kind of cache involved here?
>> >
>> > There is no such thing in Postfix. Also not in the Postfix Dovcecot
>> > client.
>>
>> Curious, and it couldn't be connection cache/reuse or something?
>
> Your Postfix SMTP server logs would contain one smtpd 'connect'
> event with multiple smtpd "QUEUEID: client=name[address]" events.

That's basically what I see. A few connect-events and a ton of
"sasl_username" client-events. So the same connection is being reused by
the client to just keep the connection open and send mails, bypassing
any password changes or account deletion. Is there some way to prevent
this? Perhaps have the connection die after 10 seconds, forcing a
re-auth?

--
Tom
Reply | Threaded
Open this post in threaded view
|

Re: SASL auth cache?

Tom Sommer

On 2021-01-17 18:08, Tom Sommer wrote:

> On 2021-01-17 17:29, Wietse Venema wrote:
>
>>> On 2021-01-17 14:22, Wietse Venema wrote:
>>> >> I just observed Postfix not picking up changes in the SASL auth
>>> >> backend,
>>> >> is there some kind of cache involved here?
>>> >
>>> > There is no such thing in Postfix. Also not in the Postfix Dovcecot
>>> > client.
>>>
>>> Curious, and it couldn't be connection cache/reuse or something?
>>
>> Your Postfix SMTP server logs would contain one smtpd 'connect'
>> event with multiple smtpd "QUEUEID: client=name[address]" events.
>
> That's basically what I see. A few connect-events and a ton of
> "sasl_username" client-events. So the same connection is being reused
> by the client to just keep the connection open and send mails,
> bypassing any password changes or account deletion. Is there some way
> to prevent this? Perhaps have the connection die after 10 seconds,
> forcing a re-auth?

Jan 17 06:45:23 asmtp postfix/smtpd[25435]: connect from
ip192.ip-51-77-20.eu[51.77.20.192]
....
Jan 17 06:53:47 asmtp postfix/smtpd[25435]: disconnect from
ip192.ip-51-77-20.eu[51.77.20.192] ehlo=2 starttls=1 auth=1 mail=52
rcpt=52 data=51 commands=159
Reply | Threaded
Open this post in threaded view
|

Re: SASL auth cache?

Matus UHLAR - fantomas
In reply to this post by Tom Sommer
>>>>> I just observed Postfix not picking up changes in the SASL auth
>>>>> backend,
>>>>> is there some kind of cache involved here?

>>>On 2021-01-17 14:22, Wietse Venema wrote:
>>>> There is no such thing in Postfix. Also not in the Postfix Dovcecot
>>>> client.

>>>Curious, and it couldn't be connection cache/reuse or something?

>On 2021-01-17 17:29, Wietse Venema wrote:
>>Your Postfix SMTP server logs would contain one smtpd 'connect'
>>event with multiple smtpd "QUEUEID: client=name[address]" events.

On 17.01.21 18:08, Tom Sommer wrote:
>That's basically what I see. A few connect-events and a ton of
>"sasl_username" client-events. So the same connection is being reused
>by the client to just keep the connection open and send mails,
>bypassing any password changes or account deletion. Is there some way
>to prevent this? Perhaps have the connection die after 10 seconds,
>forcing a re-auth?

I've had this problem with cyrus sasl IIRC. restarting saslauthd helped.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
Reply | Threaded
Open this post in threaded view
|

Re: SASL auth cache?

Wietse Venema
In reply to this post by Tom Sommer
Tom Sommer:

> On 2021-01-17 17:29, Wietse Venema wrote:
>
> >> On 2021-01-17 14:22, Wietse Venema wrote:
> >> >> I just observed Postfix not picking up changes in the SASL auth
> >> >> backend,
> >> >> is there some kind of cache involved here?
> >> >
> >> > There is no such thing in Postfix. Also not in the Postfix Dovcecot
> >> > client.
> >>
> >> Curious, and it couldn't be connection cache/reuse or something?
> >
> > Your Postfix SMTP server logs would contain one smtpd 'connect'
> > event with multiple smtpd "QUEUEID: client=name[address]" events.
>
> That's basically what I see. A few connect-events and a ton of
> "sasl_username" client-events. So the same connection is being reused by
> the client to just keep the connection open and send mails, bypassing
> any password changes or account deletion. Is there some way to prevent
> this? Perhaps have the connection die after 10 seconds, forcing a
> re-auth?

There is no defined behavior for doing this in SMTP. you may be
able to configure Postfix with postfwd etc. to reply with 421
(forcing Postfix to hang up), or to the same using Postfix's built-in
smtpd_client_message_rate_limit feature.

        Wietse