OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: SMTP-SASL auth failure caching.

From: Wietse Venema (wietseporcupine.org)
Date: Sun Dec 02 2007 - 15:44:07 CST

Keean Schupke:
[ Charset ISO-8859-1 unsupported, converting... ]
> On 02/12/2007, Wietse Venema <wietseporcupine.org> wrote:
>
> > > So this feature depends on OpenSSL's libcrypto. How should that be
> > > handled in makedefs? (Question for Wietse I think).
> >
> > OpenSSL must not be mandatory. On my servers, it makes no sense to
> > increase the attack profile by tens of thousand of lines of code.
>
> Is there a suitable alternative that does not require ssl?

If you need hashing in Postfix, then I don't need to find one :-)

The function needs to be collision-free, otherwise Postfix will
falsely refuse to use a good password. So it is not a good idea to
use a CRC function, XOR, or anything whose output is a linear
function of its input.

If the function's license requires that credit be given, then proper
reference needs to be made in the Postfix documentation, and in
the Postfix license file.

In the worst case Postfix can use plaintext by default, and strong
hash when linked with OpenSSL. People who need this will most likely
be linking with OpenSSL anyway.

> > > Anyway, this is probably enough for now in terms of patches, the key
> > > question at this point is whether this should be adopted. Wietse?
> >
> > Assuming that it implements its own cache daemon, the only thing
> > that remains is naming.
> >
> > If possible, the master.cf service name should match the executable
> > name.
> >
> > Is "cache" really a good choice for a Postfix daemon name?
>
> The cache service is a generic cache, it is in no way tied to just
> being used to cache auth failures. In theory any service can use it
> for storing any data. Hence "auth_cache" represents a specific
> application of the generic cache.
> Another alternative might be "dict" or "dictionary" service.

Postfix already has a "dict" daemon. It's called proxymap. I am
not convinced that two "dict" daemons is desirable.

If the proxymap service had a "put" operation, would that suffice?
Adding "put" support involves less code than adding an entire daemon
and client module to Postfix. This would require a new parameter
proxy_write_maps that complements the existing proxy_read_maps
feature.

> > Is "auth_cache" really a good name for a service that remembers
> > password failures?
>
> Perhaps auth_failure_cache? I didn't want it to be too long, as all
> the others have short names.

With proxymap, we sidestep that problem. One only has to specify
the map name; the proxy_write_maps parameter would automagically
whitelist the map that is used for auth failures, so no additional
configuration would be needed.

        Wietse