From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Wed Nov 21 2007 - 13:13:32 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Nov 21, 2007 at 06:52:33PM +0000, Keean Schupke wrote:

> Yes, I am running postfix in a chroot jail. I am not talking about
> updating the config... the config would be something like
> "smtp_sasl_auth_dont_reuse_bad_credentials = yes" ... the state would
> have to be stored inside the chroot jail, or in a database where we
> have write permission.

An extension to the verify(8) service could perhaps store the required
state. It already caches delivery success/failure results. You need to
make each and every delivery into an "authentication probe", and query
verify before attempting to use the password.

The lookup key should be a suitable hash (SHA1) of the (gateway,user,pass)
tripple. The cache lifetime should be the expected maximum time you are
willing to wait for the new password.

If the password is updated, you are automatically going to use the new
one, because the new lookup key has no prior bad history.

The downside is that the verify(8) protocol is not trivial.

Look at verify_clnt_update() and vrfy_clnt_query() in global/verify_clnt.c

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]