Red Hat Bugzilla – Bug 175259
smtpd.conf with saslauthd does not limit SASL mechanisms
Last modified: 2007-11-30 17:11:18 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8) Gecko/20051111 Firefox/1.5
Description of problem:
The default smtpd.conf that ships with the postfix rpm sets saslauthd as password verification, but it doesn't limit the SMTP AUTH mechanisms Postfix may announce to clients.
This will lead to authentication failures if a client chooses to use any other mechanism available than PLAIN or LOGIN, because saslauthd can only handle PLAIN and LOGIN.
It is quite likely that a client will choose any other mechanism, because it delegates the process of choosing the mechanism to libsasl, which will always go for the most secure mechanisms and PLAIN and LOGIN, being plaintext mechanisms, are the among the weakest mechanisms from a security standpoint.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure Postfix to offer SMTP AUTH using the default smtpd.conf settings
2. Use a mail client that may use shared-secret mechanisms
3. Try to authenticate
Actual Results: Postfix offers all mechanisms that have been installed by the cyrus-sasl RPMs.
The client should fail, because it prefers CRAM-MD5 or DIGEST-MD5 over PLAIN or LOGIN.
Expected Results: Postfix should only offer mechanisms saslauthd can handle i.e. PLAIN and LOGIN.
Add the mech_list parameter and the options PLAIN LOGIN to smtpd.conf (or postfix-sasl.conf in the src.rpm) like this:
mech_list: PLAIN LOGIN
After this has been set and Postfix has been reloaded, it should only offer these plaintext-mechanisms after an "EHLO foo" in a telnet session to the SMTP port.
These bugs are being closed since a large number of updates have been released
after the FC5 test1 and test2 releases. Kindly update your system by running yum
update as root user or try out the third and final test version of FC5 being
released in a short while and verify if the bugs are still present on the system
.Reopen or file new bug reports as appropriate after confirming the presence of
this issue. Thanks
Created attachment 124881 [details]
replacement for current postfix-sasl.conf
Hello Thomas Woerner,
I've noted that this bug is still present in postfix-2.3.2-1.src.rpm shipped
with FC6 test 2:
$ cat postfix-sasl.conf
Edit postfix-sasl.conf like this and the bug is fixed:
mech_list: PLAIN LOGIN
REOPENED status has been deprecated. ASSIGNED with keyword of Reopened is preferred.
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer
test releases. We're cleaning up the bug database and making sure important bug
reports filed against these test releases don't get lost. It would be helpful if
you could test this issue with a released version of Fedora or with the latest
development / test release. Thanks for your help and for your patience.
[This is a bulk message for all open FC5/FC6 test release bugs. I'm adding
myself to the CC list for each bug, so I'll see any comments you make after this
and do my best to make sure every issue gets proper attention.]
The problem has been fixed. If I found a button to close this call, I'd do it.
I think you did. Thanks. :)