Re: PATCH: saslauthd show remote ip address
--On Wednesday, December 02, 2015 9:05 AM -0500 Wietse Venema wrote: Selcuk Yazar: Thank you Koko for warning , hopelessly i try to my chance :( but i found this after ,i sent email "...From a cursory inspection of lib/pwcheck.c, saslauthd does not get passed any client IP information and cannot log it or forward it to pam..." Postfix currently sends no IP address to the Cyrus SASL library. Long ago, libsasl did not use this information, and the Postfix side code has not been updated. You can try this patch and see if it fixes the problem (or if it causes new ones). We are using this patch in our dev lab with postfix 3.0.3. So far, no problems have arisen, and it is helping us with resolving an issue we had with tracking originating IPs. Thanks! --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: PATCH: saslauthd show remote ip address
Quanah Gibson-Mount: > --On Wednesday, December 02, 2015 9:05 AM -0500 Wietse Venema > wrote: > > > Selcuk Yazar: > >> Thank you Koko for warning , hopelessly i try to my chance :( > >> > >> but i found this after ,i sent email > >> > >> "...From a cursory inspection of lib/pwcheck.c, saslauthd does not get > >> passed > >> any client IP information and cannot log it or forward it to pam..." > > > > Postfix currently sends no IP address to the Cyrus SASL library. > > > > Long ago, libsasl did not use this information, and the Postfix > > side code has not been updated. > > > > You can try this patch and see if it fixes the problem (or if it > > causes new ones). > > We are using this patch in our dev lab with postfix 3.0.3. So far, no > problems have arisen, and it is helping us with resolving an issue we had > with tracking originating IPs. Thanks! Thanks. According to a document dating from 2003 (*), this code needs more work: - The sasl_server_new() function expects the form "ipaddress:port", but Postfix sends only the IP address. - An IPv6 address must be enclosed in [], which Postfix does not yet do. This is not completely trivial because the port information needs to be consistent with information from proxies, postscreen, and XCLIENT, otherwise results will be incorrect. Wietse (*) https://cyrusimap.org/docs/cyrus-sasl/2.1.25/draft-newman-sasl-c-api-xx.txt
Re: PATCH: saslauthd show remote ip address
--On Thursday, December 10, 2015 2:02 PM -0500 Wietse Venema wrote: This is not completely trivial because the port information needs to be consistent with information from proxies, postscreen, and XCLIENT, otherwise results will be incorrect. Ok, good to know. Is there any general timeline on when that will be available for testing? Thanks, Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: PATCH: saslauthd show remote ip address
Quanah Gibson-Mount: > --On Thursday, December 10, 2015 2:02 PM -0500 Wietse Venema > wrote: > > > This is not completely trivial because the port information needs > > to be consistent with information from proxies, postscreen, and > > XCLIENT, otherwise results will be incorrect. > > Ok, good to know. Is there any general timeline on when that will be > available for testing? No. Time is in short supply, especially for functionality that has been missing for 15+ years. Wietse
Re: PATCH: saslauthd show remote ip address
--On Thursday, December 10, 2015 2:29 PM -0500 Wietse Venema wrote: Quanah Gibson-Mount: --On Thursday, December 10, 2015 2:02 PM -0500 Wietse Venema wrote: > This is not completely trivial because the port information needs > to be consistent with information from proxies, postscreen, and > XCLIENT, otherwise results will be incorrect. Ok, good to know. Is there any general timeline on when that will be available for testing? No. Time is in short supply, especially for functionality that has been missing for 15+ years. Ok, thanks. Not sure if it falls into the legal issue of required source port logging that Belgium has implemented or not. I.e., being able to tie the source port logged at the smtp server to a specific sasl auth request. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: PATCH: saslauthd show remote ip address
--On Thursday, December 10, 2015 11:49 AM -0800 Quanah Gibson-Mount wrote: --On Thursday, December 10, 2015 2:29 PM -0500 Wietse Venema wrote: Quanah Gibson-Mount: --On Thursday, December 10, 2015 2:02 PM -0500 Wietse Venema wrote: > This is not completely trivial because the port information needs > to be consistent with information from proxies, postscreen, and > XCLIENT, otherwise results will be incorrect. Ok, good to know. Is there any general timeline on when that will be available for testing? No. Time is in short supply, especially for functionality that has been missing for 15+ years. Ok, thanks. Not sure if it falls into the legal issue of required source port logging that Belgium has implemented or not. I.e., being able to tie the source port logged at the smtp server to a specific sasl auth request. After deploying live with this patch, we found ports 465/587 were busted: Jan 5 12:40:12 edge01 postfix/submission/smtpd[63043]: connect from edge01.zimbra.com[10.210.0.174] Jan 5 12:40:12 edge01 postfix/submission/smtpd[63043]: Anonymous TLS connection established from edge01.zimbra.com[10.210.0.174]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Jan 5 12:40:12 edge01 postfix/submission/smtpd[63043]: warning: server_addr=, client_addr=10.210.0.174 Jan 5 12:40:12 edge01 postfix/submission/smtpd[63043]: warning: SASL per-connection server initialization: invalid parameter supplied Jan 5 12:40:12 edge01 postfix/submission/smtpd[63043]: fatal: SASL per-connection initialization failed From the command line with openssl, it'd drop with: 250 DSN read:errno=0 So we will be working further on this patch, and will push back whatever further changes are necessary. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: PATCH: saslauthd show remote ip address
Quanah Gibson-Mount: > --On Thursday, December 10, 2015 11:49 AM -0800 Quanah Gibson-Mount > wrote: > > > --On Thursday, December 10, 2015 2:29 PM -0500 Wietse Venema > > wrote: > > > >> Quanah Gibson-Mount: > >>> --On Thursday, December 10, 2015 2:02 PM -0500 Wietse Venema > >>> wrote: > >>> > >>> > This is not completely trivial because the port information needs > >>> > to be consistent with information from proxies, postscreen, and > >>> > XCLIENT, otherwise results will be incorrect. > >>> > >>> Ok, good to know. Is there any general timeline on when that will be > >>> available for testing? > >> > >> No. Time is in short supply, especially for functionality that has > >> been missing for 15+ years. > > > > Ok, thanks. Not sure if it falls into the legal issue of required source > > port logging that Belgium has implemented or not. I.e., being able to > > tie the source port logged at the smtp server to a specific sasl auth > > request. > > After deploying live with this patch, we found ports 465/587 were busted: I think I mentioned in this thread that the patch is not complete because the Cyrus implementation expects a string of the form "ipaddress:portnumber", and the patch provides the address only. > So we will be working further on this patch, and will push back whatever > further changes are necessary. Wietse
Re: PATCH: saslauthd show remote ip address
--On Tuesday, January 05, 2016 3:43 PM -0500 Wietse Venema wrote: I think I mentioned in this thread that the patch is not complete because the Cyrus implementation expects a string of the form "ipaddress:portnumber", and the patch provides the address only. Yep. We're working on completing it. ;) It just had some unanticipated side effects. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: PATCH: saslauthd show remote ip address
--On Tuesday, January 05, 2016 12:46 PM -0800 Quanah Gibson-Mount wrote: --On Tuesday, January 05, 2016 3:43 PM -0500 Wietse Venema wrote: I think I mentioned in this thread that the patch is not complete because the Cyrus implementation expects a string of the form "ipaddress:portnumber", and the patch provides the address only. Yep. We're working on completing it. ;) It just had some unanticipated side effects. Hi Wietse, One other issue we noticed -- The call to SASL occurs every time the email passes through postfix. For example: The initial time when the user auth's to port 587 postfix passes off to Amavis Amavis passes it back to Postfix on port 25, and boom, the sasl bits are called, even though no auth is involved. Since we have several milters, this happens multiple times. It would seem to me that the sasl auth call should not be occurring after the initial auth on port 587? Thanks, Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: PATCH: saslauthd show remote ip address
Quanah Gibson-Mount: > Amavis passes it back to Postfix on port 25, and boom, the sasl bits are > called, even though no auth is involved. If you know that an SMTP daemon will not receive AUTH commands, disable SASL in master.cf, with "-o smtpd_sasl_auth_enable=no". Wietse
Re: PATCH: saslauthd show remote ip address
--On Saturday, January 09, 2016 9:06 AM -0500 Wietse Venema wrote: Quanah Gibson-Mount: Amavis passes it back to Postfix on port 25, and boom, the sasl bits are called, even though no auth is involved. If you know that an SMTP daemon will not receive AUTH commands, disable SASL in master.cf, with "-o smtpd_sasl_auth_enable=no". Ok, I can do that for the milter bits, but it still seems odd that SASL_SERVER_NEW gets called when there is no SASL auth involved at all. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: PATCH: saslauthd show remote ip address
Quanah Gibson-Mount: > --On Saturday, January 09, 2016 9:06 AM -0500 Wietse Venema > wrote: > > > Quanah Gibson-Mount: > >> Amavis passes it back to Postfix on port 25, and boom, the sasl bits are > >> called, even though no auth is involved. > > > > If you know that an SMTP daemon will not receive AUTH commands, > > disable SASL in master.cf, with "-o smtpd_sasl_auth_enable=no". > > Ok, I can do that for the milter bits, but it still seems odd that > SASL_SERVER_NEW gets called when there is no SASL auth involved at all. You configured smtpd_sasl_auth_enable=yes, therefore the Postfix SMTP daemon will announce AUTH support, and that requires setting up a SASL AUTH connection context. RTFM sasl_listmech(). Wietse