2

I setup an mailserver with Postfix and configured it to use Cyrus SASL to authenticate my users. It worked perfectly, until I found out that I can login with shorter passwords than they actually are.

For example the Password should be uhuh1234h22 i can login with:

uhuh1234
uhuh1234h
uhuh1234h2
uhuh1234h22

But not with anything shorter...

I tested that with this command:

testsaslauthd -u USERNAME -p PASSWORD -s smtp -f /var/spool/postfix/var/run/saslauthd/mux

My question is why this happens and how I can prevent that?

Edit

My configuration file in /etc/pam.d/smtp is:

auth    required   pam_mysql.so user=USR passwd=PASS host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=USR passwd=PASS host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
Matthias Dunkel
  • 213
  • 3
  • 7
  • It seems your password gets truncated at 8 characters. saslauthd does not do this, but the underlying mechanisms might. What is your authentication backend to saslauthd and how is it configured? If it is PAM, what is the relevant PAM module's configuration? – the-wabbit Jan 09 '14 at 13:27
  • @syneticon-dj Yes its PAM which uses a MySQL Database. So that's the pam_mysql module I think. Where can I find the config of this module? – Matthias Dunkel Jan 09 '14 at 13:31
  • @syneticon-dj Found it, I think. Edited my question. – Matthias Dunkel Jan 09 '14 at 13:41

1 Answers1

1

The trouble lies in your use of crypt. From the docs to pam_mysql:

crypt (0)

Specifies the method to encrypt the user's password:
 0 (or "plain") = No encryption. Passwords stored in plaintext. HIGHLY DISCOURAGED. 
 1 (or "Y") = Use crypt(3) function 
 2 (or "mysql") = Use MySQL PASSWORD() function. It is possible that the encryption function used by pam-mysql is different from that of the MySQL server, as pam-mysql uses the function defined in MySQL's C-client API instead of using PASSWORD() SQL function in the query. 
 3 (or "md5") = Use MySQL MD5() function

Your cryptparameter is set to 1 which means that the crypt function is used. And this is what crypt is doing:

By taking the lowest 7 bits of each of the first eight characters of the key, a 56-bit key is obtained.

You should be using one of the other storage schemes (preferably 2 or 3) to allow for longer passwords.

Note that you likely would need to check for other service definitions in /etc/pam.d as well to make sure you have everything covered (if your have a Cyrus IMAP server authenticating with SASL on the same host, at least /etc/pam.d/imap would contain similar records)

When changing the password encryption scheme, you also would effectively lose all your stored passwords and need to have them reset.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • Thank you very mutch. That was it. But if I use MD5 then courier can't handle the login anymore, right? – Matthias Dunkel Jan 09 '14 at 14:32
  • @MatthiasDunkel I do not know Courier all that well, but it should be able to employ either SASL or PAM directly, which would prevent any kind of compatibility problems. It would be not the best idea to circumvent the authentication library and access the password data stored in the MySQL database directly (e.g. via the authmysql module). You *would* need to reset all your `crypt`-generated passwords, though. – the-wabbit Jan 09 '14 at 17:17