NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-11

Re: Another change to smtp_sasl_auth.

From: Keean Schupke (keeanfry-it.com)
Date: Wed Nov 21 2007 - 13:17:34 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Okay, thanks for that... could be exactly what I am looking for!
Should keep me busy for a while

Cheers,
Keean Schupke, Fry-IT Ltd.

On 21/11/2007, Victor Duchovni <Victor.Duchovnimorganstanley.com> wrote:
> On Wed, Nov 21, 2007 at 06:52:33PM +0000, Keean Schupke wrote:
>
> > Yes, I am running postfix in a chroot jail. I am not talking about
> > updating the config... the config would be something like
> > "smtp_sasl_auth_dont_reuse_bad_credentials = yes" ... the state would
> > have to be stored inside the chroot jail, or in a database where we
> > have write permission.
>
> An extension to the verify(8) service could perhaps store the required
> state. It already caches delivery success/failure results. You need to
> make each and every delivery into an "authentication probe", and query
> verify before attempting to use the password.
>
> The lookup key should be a suitable hash (SHA1) of the (gateway,user,pass)
> tripple. The cache lifetime should be the expected maximum time you are
> willing to wait for the new password.
>
> If the password is updated, you are automatically going to use the new
> one, because the new lookup key has no prior bad history.
>
> The downside is that the verify(8) protocol is not trivial.
>
> Look at verify_clnt_update() and vrfy_clnt_query() in global/verify_clnt.c
>
> --
> Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> <mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]