From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8) Gecko/20051111 Firefox/1.5 Description of problem: The default smtpd.conf that ships with the postfix rpm sets saslauthd as password verification, but it doesn't limit the SMTP AUTH mechanisms Postfix may announce to clients. This will lead to authentication failures if a client chooses to use any other mechanism available than PLAIN or LOGIN, because saslauthd can only handle PLAIN and LOGIN. It is quite likely that a client will choose any other mechanism, because it delegates the process of choosing the mechanism to libsasl, which will always go for the most secure mechanisms and PLAIN and LOGIN, being plaintext mechanisms, are the among the weakest mechanisms from a security standpoint. Version-Release number of selected component (if applicable): postfix-2.2.5-2.1.src.rpm How reproducible: Didn't try Steps to Reproduce: 1. Configure Postfix to offer SMTP AUTH using the default smtpd.conf settings 2. Use a mail client that may use shared-secret mechanisms 3. Try to authenticate Actual Results: Postfix offers all mechanisms that have been installed by the cyrus-sasl RPMs. The client should fail, because it prefers CRAM-MD5 or DIGEST-MD5 over PLAIN or LOGIN. Expected Results: Postfix should only offer mechanisms saslauthd can handle i.e. PLAIN and LOGIN. Additional info: Add the mech_list parameter and the options PLAIN LOGIN to smtpd.conf (or postfix-sasl.conf in the src.rpm) like this: mech_list: PLAIN LOGIN After this has been set and Postfix has been reloaded, it should only offer these plaintext-mechanisms after an "EHLO foo" in a telnet session to the SMTP port.
These bugs are being closed since a large number of updates have been released after the FC5 test1 and test2 releases. Kindly update your system by running yum update as root user or try out the third and final test version of FC5 being released in a short while and verify if the bugs are still present on the system .Reopen or file new bug reports as appropriate after confirming the presence of this issue. Thanks
Created attachment 124881 [details] replacement for current postfix-sasl.conf
Hello Thomas Woerner, I've noted that this bug is still present in postfix-2.3.2-1.src.rpm shipped with FC6 test 2: $ cat postfix-sasl.conf pwcheck_method: saslauthd Edit postfix-sasl.conf like this and the bug is fixed: pwcheck_method: saslauthd mech_list: PLAIN LOGIN
REOPENED status has been deprecated. ASSIGNED with keyword of Reopened is preferred.
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer test releases. We're cleaning up the bug database and making sure important bug reports filed against these test releases don't get lost. It would be helpful if you could test this issue with a released version of Fedora or with the latest development / test release. Thanks for your help and for your patience. [This is a bulk message for all open FC5/FC6 test release bugs. I'm adding myself to the CC list for each bug, so I'll see any comments you make after this and do my best to make sure every issue gets proper attention.]
The problem has been fixed. If I found a button to close this call, I'd do it.
I think you did. Thanks. :)