Re: hostname in sasl/pam requests

Thu, 07 May 2020 10:08:09 -0700 

Matus UHLAR - fantomas:
> Hello,
> 
> I have set up pam_abl to automatically block hosts and users from logging.
> Unfortunately, the hostname seems not to be visible in pam logs:
> 
> May  7 17:49:38 mail pam-abl[18692]: Blocking access from (null) to service 
> smtp, user xxx
> 
> is it possible to pass connecting hostname to pam somehow?

Is ths Cyrus SASL or dovecot SASL? Postfix passes the client info
to Dovecot and Cyrus.

        Wietse

smtpd_sasl_glue.c:

#define ADDR_OR_EMPTY(addr, unknown) (strcmp(addr, unknown) ? addr : "")
#define REALM_OR_NULL(realm) (*(realm) ? (realm) : (char *) 0)

    if ((state->sasl_server =
         XSASL_SERVER_CREATE(smtpd_sasl_impl, &create_args,
                             stream = state->client,
                             addr_family = state->addr_family,
                             server_addr = ADDR_OR_EMPTY(state->dest_addr,
                                                       SERVER_ADDR_UNKNOWN),
                             server_port = ADDR_OR_EMPTY(state->dest_port,
                                                       SERVER_PORT_UNKNOWN),
                             client_addr = ADDR_OR_EMPTY(state->addr,
                                                       CLIENT_ADDR_UNKNOWN),
                             client_port = ADDR_OR_EMPTY(state->port,
                                                       CLIENT_PORT_UNKNOWN),
                             service = var_smtpd_sasl_service,
                           user_realm = REALM_OR_NULL(var_smtpd_sasl_realm),
                             security_options = sasl_opts_val,
                             tls_flag = tls_flag)) == 0)
        msg_fatal("SASL per-connection initialization failed");

xsasl_cyrus_server.c

    server_addr_port = (*args->server_addr && *args->server_port ?
                        concatenate(args->server_addr, ";",
                                    args->server_port, (char *) 0) : 0);
    client_addr_port = (*args->client_addr && *args->client_port ?
                        concatenate(args->client_addr, ";",
                                    args->client_port, (char *) 0) : 0);
        ...

    if ((sasl_status =
         SASL_SERVER_NEW(args->service, var_myhostname,
                         args->user_realm ? args->user_realm : NO_AUTH_REALM,
                         server_addr_port, client_addr_port,
                         NO_SESSION_CALLBACKS, NO_SECURITY_LAYERS,
                         &sasl_conn)) != SASL_OK) {
        msg_warn("SASL per-connection server initialization: %s",
                 xsasl_cyrus_strerror(sasl_status));
        XSASL_CYRUS_SERVER_CREATE_ERROR_RETURN(0);
    }

xsasl_dovecot_server.c:

    server->client_addr = mystrdup(args->client_addr);
        ....
        vstream_fprintf(server->impl->sasl_stream,
                        "AUTH\t%u\t%s\tservice=%s\tnologin\tlip=%s\trip=%s",
                        server->last_request_id, sasl_method,
                        server->service, server->server_addr,
                        server->client_addr);

Reply via email to