Vladimir Lomov:
> Hello,
>
> I faced with strange problem with my postfix configuration. I use the postfix
> as SMTP client to send emails from my host. Recently I changed the password
> on external email-server, updated file that stores passwords and now I see
> SASL authentication failures in log. I wonder is the limitation on password
> part in the file pointed by smtp_sasl_password_maps?
>
> This is password part of my postfix configuration:
>
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>
> where sasl_passwd has following format:
>
> account@MAIL.SERVER account:PASSWORD
>
> The only restriction on PASSWORD that email-server puts is to avoid
> ' and ~ symbols, right now PASSWORD has any except these symbols,
> for example it has symbols: ;:".
What is the output from:
postmap -q account@MAIL.SERVER | od -cb
Does it show anything unexpected, or does it not show anything
that you would expect to be in the output?
> I read the documentation but didn't find any restrictions on
> PASSWORD part. Do I missed something?
When you create hash:/etc/postfix/sasl_passwd, the postmap command
will
- strip leading whitespace before 'account:password'
- strip and trailing whitespace after 'account:password'
- store text as null-terminated strings.
Therefore, the postmap command will not store leading whitespace in the
'account'
portion, will not store trailing whitespace in the 'password' portion, and will
not store text that follows a null byte.
The password lookup code splits the 'account:password' lookup result
as follows:
passwd = split_at(session->sasl_username, ':');
Where session->sasl_username initially contains the entire lookup result.
The split_at() call consumes exactly one ':' character.
Therefore, there must be no ':' in the 'account' portion of the
sasl_passwd lookup result. Otherwise, split_at() does not introduce
any additional syntax restrictions on sasl_passwd syntax beyond
those already introduced by the postmap command.
Wietse
