Dear fellow users,
Unless my configuration isn't safe (not yet included), i may have found an
unwanted behavior in Postfix.
When i set the -v flag in master.cf for smtpd, my logs mail.log contains
cleartext passwords for my SQL user database. This happens for all my SQL
queries.
Extracted from the mail.log:
Oct 29 12:44:05 vps1 postfix/submission/smtpd[556103]: cfg_get_str:
/etc/postfix/sql/virtual_alias_maps.cf: user = postfixadmin
Oct 29 12:44:05 vps1 postfix/submission/smtpd[556103]: cfg_get_str:
/etc/postfix/sql/virtual_alias_maps.cf: password = *****plaintext
password*****
Oct 29 12:44:05 vps1 postfix/submission/smtpd[556103]: cfg_get_str:
/etc/postfix/sql/virtual_alias_maps.cf: dbname = vmail_postfixadmin
More system information and configs:
root@vps1:/var/log# uname -a
Linux ************** 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1
(2023-09-29) x86_64 GNU/Linux
root@vps1:/var/log# postconf mail_version
mail_version = 3.7.6
root@vps1:/var/log# cat /etc/postfix/master.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - 1 postscreen
-o smtpd_sasl_auth_enable=no
smtpd pass - - y - - smtpd -v
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd -v
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=$mua_relay_restrictions
-o milter_macro_daemon_name=ORIGINATING
# -o smtpd_sender_login_maps=mysql:/etc/postfix/sql/sender-login-maps.cf
-o smtpd_helo_required=no
-o smtpd_helo_restrictions=
-o cleanup_service_name=submission-header-cleanup
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
submission-header-cleanup unix n - n - 0 cleanup
-o header_checks=regexp:/etc/postfix/submission_header_cleanup
If this is a configuration error on my side, sorry to waste your time.
Best regards,
Dimitri
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
