[pfx] Re: XCLIENT and permit_sasl_authenticated

Mon, 30 Sep 2024 12:02:54 -0700 

Wietse Venema via Postfix-users:
> >     $ telnet wzv smtp
> >     Trying 168.100.3.7...
> >     Connected to wzv.
> >     Escape character is '^]'.
> >     220 wzv.porcupine.org ESMTP Postfix
> >     XCLIENT LOGIN=whatever
> >     220 wzv.porcupine.org ESMTP Postfix
> >     MAIL FROM:<>
> >     250 2.1.0 Ok
> >     RCPT TO:<wietse>
> >     554 5.7.1 <wietse>: Relay access denied
> > 
> > Investigating...
> 
> Workaround: specify "smtpd_sasl_auth_enable = yes". That means
> Postfix needs some of the Dovecot machinery even if most of it will
> remain unused.
> 
> The documentation may suggest that enabling Postfix SASL is not
> needed. I'll see what code change will fix the documented promise
> without causing new problems.

The fix is to simplify code: remove the test that SASL support is
enabled. This is safe because only the XCLIENT and AUTH commands
can change the sasl login.

In any case, it remains essential that once Postfix has allowed the
client to send XCLIENT LOGIN, no futher XCLIENT commands will be
allowed.  I.e. the XCLIENT LOGIN=whatever must be sent together
with NAME and ADDR information that prevents further use of XCLIENT
commands. Example:

    XCLIENT LOGIN=whatever NAME=hostname ADDR=hostaddr

Where the hostname and hostaddr don't match smtpd_authorized_xclient_hosts.

        Wietse

--- /var/tmp/postfix-3.10-20240928/src/smtpd/smtpd_check.c      2024-07-22 
17:04:13.000000000 -0400
+++ src/smtpd/smtpd_check.c     2024-09-30 14:50:08.401963599 -0400
@@ -4680,13 +4680,11 @@
                         cpp[1], CHECK_RELAY_DOMAINS);
        } else if (strcasecmp(name, PERMIT_SASL_AUTH) == 0) {
 #ifdef USE_SASL_AUTH
-           if (smtpd_sasl_is_active(state)) {
-               status = permit_sasl_auth(state,
-                                         SMTPD_CHECK_OK, SMTPD_CHECK_DUNNO);
-               if (status == SMTPD_CHECK_OK)
-                   status = smtpd_acl_permit(state, name, SMTPD_NAME_CLIENT,
-                                             state->namaddr, NO_PRINT_ARGS);
-           }
+           status = permit_sasl_auth(state,
+                                     SMTPD_CHECK_OK, SMTPD_CHECK_DUNNO);
+           if (status == SMTPD_CHECK_OK)
+               status = smtpd_acl_permit(state, name, SMTPD_NAME_CLIENT,
+                                         state->namaddr, NO_PRINT_ARGS);
 #endif
        } else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
            status = permit_tls_clientcerts(state, 1);
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to