postfix-2.6.10

postfix/HISTORY

@@ -15475,3 +15475,10 @@ Apologies for any names omitted.
 
 	Portability: FreeBSD closefrom() support time window.  Sahil
 	Tandon. File: util/sys_defs.h.
+
+20110414
+
+	Bugfix (introduced with Postfix SASL patch 20000314): don't
+	reuse a server SASL handle after authentication failure.
+	Problem reported by Thomas Jarosch of Intra2net AG. File:
+	smtpd/smtpd_proto.c.

postfix/src/global/mail_version.h

@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20110303"
-#define MAIL_VERSION_NUMBER	"2.6.9"
+#define MAIL_RELEASE_DATE	"20110509"
+#define MAIL_VERSION_NUMBER	"2.6.10"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE

postfix/src/smtpd/smtpd_sasl_proto.c

@@ -184,6 +184,27 @@ int     smtpd_sasl_auth_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 	return (-1);
     }
 
+    /* Don't reuse the SASL handle after authentication failure. */
+#ifndef SMTPD_FLAG_AUTH_USED
+#define SMTPD_FLAG_AUTH_USED	(1<<15)
+#endif
+#ifndef XSASL_TYPE_CYRUS 
+#define XSASL_TYPE_CYRUS	"cyrus"
+#endif
+    if (state->flags & SMTPD_FLAG_AUTH_USED) {
+	smtpd_sasl_deactivate(state);
+#ifdef USE_TLS
+	if (state->tls_context != 0)
+	    smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
+				var_smtpd_sasl_tls_opts);
+	else
+#endif
+	    smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
+				var_smtpd_sasl_opts);
+    } else if (strcmp(var_smtpd_sasl_type, XSASL_TYPE_CYRUS) == 0) {
+	state->flags |= SMTPD_FLAG_AUTH_USED;
+    }
+
     /*
      * All authentication failures shall be logged. The 5xx reply code from
      * the SASL authentication routine triggers tar-pit delays, which help to