Hello, On Fri, 6 Oct 2023, Wietse Venema via Postfix-users wrote:
> Has this been tested: > > - With Cyrus SASL? > > - With Dovecot auth? It was tested with Cyrus SASL only. > - With malformed AUTH commands? No, I tested valid AUTH commands with successful and unsuccessful authentications just to verify that the username is available in both cases. > According to https://doc.dovecot.org/developer_manual/design/auth_protocol/ > the auth server returns a username when authentication is successful > (OK) and when the username or password are bad (FAIL). That is the main issue to cover: make easier to identify the user uses wrong username (system username instead of email address) or password. > With Dovecot auth, a malfrormed AUTH command will result in an unknown > username which your patch covers. If it is the string "unknown" or just an empty string, that's OK. I don't expect the SASL libraries to return a random string when the username is not available at that state from protocol point of view. > I don't know if Cyrus SASL sasl_getprop(..., SASL_USERNAME, ...) Will > return a username when the password is bad, but I suppose you already > verified that. Yes, that is the case. > However, in the case of a malformed AUTH command with a Cyrus SASL > backend, there is no username, and xsasl_cyrus_server_get_username() > will log an ugly warning when the username is unavailable: > > msg_warn("%s: sasl_getprop SASL_USERNAME botch: %s", > myname, xsasl_cyrus_strerror(sasl_status)); xsasl_server_get_username() could be extended to cover when it is called from the error path in order to suppress the warning in that case only. > The xsasl_server_get_username() documentation says that this function > returnsd the username after a successful authentication; behavior is > unspecified after authentication failure. That will need to be updated > such that the function returns null after a malformed AUTH request. > > Other than that, the patch will likely work. I strongly suspected that a relatively small modification can lead to more work at another places as well... Best regards, Jozsef - E-mail : kad...@blackhole.kfki.hu, kadlecsik.joz...@wigner.hu PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
