Re: changes in tls problem

[Victor Duchovni]

On Thu, May 28, 2009 at 04:02:37PM +0800, Norbert P. Copones wrote:

> this setting is fine in 2.5 and it guarantees that smtp auth
> only operates in tls. this also prevents user at my domain
> from spoofing as it requires authentication.
> 
> however, a change in 2.6 in sasl broke this setup.
> 
> using the config above, the following warning will occur since sasl
> will only activate during tls.
> 
> warning: restriction 'reject_authenticated_sender_sender_login_mismatch'
> ignored: no SASL support
> warning: restriction 'reject_unauthenticated_sender_sender_login_mismatch'
> ignored: no SASL support
> 
> 
> my workaround for this is to disable smtpd_tls_auth_only but this
> also let user authenticate in plain-text mode.
> 
> any other workarounds?

Try this patch:

Index: src/smtpd/smtpd_check.c
--- src/smtpd/smtpd_check.c     28 Apr 2009 22:03:36 -0000      1.1.1.13
+++ src/smtpd/smtpd_check.c     28 May 2009 08:49:06 -0000
@@ -3314,7 +3314,8 @@
      * Reject if the client is not logged in and the sender address has an
      * owner.
      */
-    if (smtpd_sasl_is_active(state) && state->sasl_username == 0) {
+    if (!smtpd_sasl_is_active(state)
+       || (smtpd_sasl_is_active(state) && state->sasl_username == 0)) {
        reply = smtpd_resolve_addr(sender);
        if (reply->flags & RESOLVE_FLAG_FAIL)
            reject_dict_retry(state, sender);
@@ -3766,7 +3767,7 @@
                                          state->sender, SMTPD_NAME_SENDER);
        } else if (strcasecmp(name, REJECT_AUTH_SENDER_LOGIN_MISMATCH) == 0) {
 #ifdef USE_SASL_AUTH
-           if (smtpd_sasl_is_active(state)) {
+           if (var_smtpd_sasl_enable) {
                if (state->sender && *state->sender)
                    status = reject_auth_sender_login_mismatch(state, 
state->sender);
            } else
@@ -3774,7 +3775,7 @@
                msg_warn("restriction `%s' ignored: no SASL support", name);
        } else if (strcasecmp(name, REJECT_UNAUTH_SENDER_LOGIN_MISMATCH) == 0) {
 #ifdef USE_SASL_AUTH
-           if (smtpd_sasl_is_active(state)) {
+           if (var_smtpd_sasl_enable) {
                if (state->sender && *state->sender)
                    status = reject_unauth_sender_login_mismatch(state, 
state->sender);
            } else

-- 
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.