OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: SMTP-SASL auth failure caching.

From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Sun Dec 02 2007 - 20:08:17 CST

On Sun, Dec 02, 2007 at 08:38:10PM -0500, Wietse Venema wrote:

> > And a new map type other than "proxy:" that talks to this service rather
> > than proxymap? Cloning the "proxy:" map type is a bunch of work, where's
> > the win (we lose memory-only caching)?
>
> The proxymap service with update support, is sufficient.
>
> This provides the single-writer functionality.

So the SASL code needs to use "proxymap" protocol directly, not
"proxy:..." tables, which always contacts the "real" proxymap.
Code lifted from dict_proxy_lookup, ...

        stream = clnt_stream_access(proxy_stream);
        if (attr_print(stream, ATTR_FLAG_NONE,
                       ATTR_TYPE_STR, MAIL_ATTR_REQ, PROXY_REQ_LOOKUP,
                       ATTR_TYPE_STR, MAIL_ATTR_TABLE, dict->name,
                       ATTR_TYPE_INT, MAIL_ATTR_FLAGS, request_flags,
                       ATTR_TYPE_STR, MAIL_ATTR_KEY, key,
                       ATTR_TYPE_END) != 0
            || vstream_fflush(stream)
            || attr_scan(stream, ATTR_FLAG_STRICT,
                         ATTR_TYPE_INT, MAIL_ATTR_STATUS, &status,
                         ATTR_TYPE_STR, MAIL_ATTR_VALUE, dict_proxy->result,
                         ATTR_TYPE_END) != 2) {

Is that what you had in mind? Re-use "proxymap" (already a generic "cache"?)

master.cf:
        auth_cache ... proxymap
            -o proxy_read_maps=$smtp_sasl_auth_fail_map
            -o proxy_write_maps=$smtp_sasl_auth_fail_map

main.cf:
        smtp_sasl_auth_fail_map = btree:/...

What permissions will apply to new tables created by proxymap? Do we also
need a "proxy_umask" parameter?

Finally, I think you are suggesting that SHA1 is only used as follows:

        #ifdef USE_TLS
                lookup_key = SHA1(plaintext)
        #else
                lookup_key = plaintext
        #endif

so we only call into OpenSSL when it is already known to be available.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.