Bug 175259 - smtpd.conf with saslauthd does not limit SASL mechanisms
smtpd.conf with saslauthd does not limit SASL mechanisms
Product: Fedora
Classification: Fedora
Component: postfix (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2005-12-08 05:22 EST by Patrick Ben Koetter
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-04-07 07:55:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
replacement for current postfix-sasl.conf (49 bytes, text/plain)
2006-02-20 07:11 EST, Patrick Ben Koetter
no flags Details

  None (edit)
Description Patrick Ben Koetter 2005-12-08 05:22:20 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8) Gecko/20051111 Firefox/1.5

Description of problem:
The default smtpd.conf that ships with the postfix rpm sets saslauthd as password verification, but it doesn't limit the SMTP AUTH mechanisms Postfix may announce to clients.

This will lead to authentication failures if a client chooses to use any other mechanism available than PLAIN or LOGIN, because saslauthd can only handle PLAIN and LOGIN.

It is quite likely that a client will choose any other mechanism, because it delegates the process of choosing the mechanism to libsasl, which will always go for the most secure mechanisms and PLAIN and LOGIN, being plaintext mechanisms, are the among the weakest mechanisms from a security standpoint.

Version-Release number of selected component (if applicable):

How reproducible:
Didn't try

Steps to Reproduce:
1. Configure Postfix to offer SMTP AUTH using the default smtpd.conf settings
2. Use a mail client that may use shared-secret mechanisms
3. Try to authenticate

Actual Results:  Postfix offers all mechanisms that have been installed by the cyrus-sasl RPMs.
The client should fail, because it prefers CRAM-MD5 or DIGEST-MD5 over PLAIN or LOGIN.

Expected Results:  Postfix should only offer mechanisms saslauthd can handle i.e. PLAIN and LOGIN.

Additional info:

Add the mech_list parameter and the options PLAIN LOGIN to smtpd.conf (or postfix-sasl.conf in the src.rpm) like this:

mech_list: PLAIN LOGIN

After this has been set and Postfix has been reloaded, it should only offer these plaintext-mechanisms after an "EHLO foo" in a telnet session to the SMTP port.
Comment 1 Rahul Sundaram 2006-02-20 05:50:59 EST

These bugs are being closed since a large number of updates have been released
after the FC5 test1 and test2 releases. Kindly update your system by running yum
update as root user or try out the third and final test version of FC5 being
released in a short while and verify if the bugs are still present on the system
.Reopen or file new bug reports as appropriate after confirming the presence of
this issue. Thanks
Comment 2 Patrick Ben Koetter 2006-02-20 07:11:36 EST
Created attachment 124881 [details]
replacement for current postfix-sasl.conf
Comment 3 Patrick Ben Koetter 2006-08-08 14:56:23 EDT
Hello Thomas Woerner,

I've noted that this bug is still present in postfix-2.3.2-1.src.rpm shipped
with FC6 test 2:

$ cat postfix-sasl.conf
pwcheck_method: saslauthd

Edit postfix-sasl.conf like this and the bug is fixed:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
Comment 4 Red Hat Bugzilla 2007-02-05 14:04:30 EST
REOPENED status has been deprecated. ASSIGNED with keyword of Reopened is preferred.
Comment 5 Matthew Miller 2007-04-06 12:45:59 EDT
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer
test releases. We're cleaning up the bug database and making sure important bug
reports filed against these test releases don't get lost. It would be helpful if
you could test this issue with a released version of Fedora or with the latest
development / test release. Thanks for your help and for your patience.

[This is a bulk message for all open FC5/FC6 test release bugs. I'm adding
myself to the CC list for each bug, so I'll see any comments you make after this
and do my best to make sure every issue gets proper attention.]
Comment 6 Patrick Ben Koetter 2007-04-07 07:55:03 EDT
The problem has been fixed. If I found a button to close this call, I'd do it.
Comment 7 Matthew Miller 2007-04-07 08:13:33 EDT
I think you did. Thanks. :)

Note You need to log in before you can comment on or make changes to this bug.