On Wed, Oct 07, 2015 at 03:20:04PM -0700, Quanah Gibson-Mount wrote:
> User account is compromised
> Spammer creates a persistent connection to send out spam
> Admin adds compromised user to the SASL map
> Admin contacts user, has them change their password
> Admin removes user from the SASL map
> Compromised connection is still open to postfix, and spam continues until
> postfix is restarted, and the spammer can no longer auth because the
> password was changed.
>
> I see this fairly frequently with our customers, where they don't understand
> why simply having the user change their password doesn't stop the spammer
> from being able to send out email, because postfix "logs" an auth for every
> one of the emails sent out over the persistent connection, even thought they
> actually only have auth'd when initially opening the connection.
Yes, just changing the password is not enough in the face of
persistent connections. In SMTP the SASL authentication status is
a *connection* property not a per-message property.
To lock out existing connections, an access rule has to be added
to deny access until after the password is changed. The access
rule can be via "check_sasl_access" or via a "policy" lookup
performed with every transaction.
Just changing the password does nothing to invalidate existing
connections.
--
Viktor.
