User authentication problem (suspect PAM)

[Louis Guillaume <louis%zabrico.com@localhost>]

Hello!

I have a terrible authentication problem going on with a mail server. 
This is part of a massive spam attack I've been dealing with since ~ 
Dec. 23rd. I'm posting here because I believe the problem is with PAM:

This is and i386 machine running netbsd-6 from mid-November '14.
I'm using the following packages from pkgsrc-2014Q3:


  sendmail-8.14.9nb3
  cyrus-sasl-2.1.26nb4
  cyrus-saslauthd-2.1.26nb3
  pam-ldap-186nb5
  openldap-client-2.4.39nb1

The problem goes like this:

The user's email account, all of a sudden started being used to relay 
spam. A LOT of spam! It looked like the password was guessed. So I 
changed the password in the LDAP server (the only place there is a 
password for this user). But the spamming continued. The only way to 
cause the authentication to fail is by deleting the local user on the 
mail host.

Here's a little more about the setup:

  o Sendmail is authenticating users using saslauthd
  o saslauthd is using PAM
  o PAM is using pam-ldap with this setup in /etc/pam.d/smtp

auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_ldap.so             try_first_pass
auth            include         system


Using "testsaslauthd" works fine for authenticating users and everyone 
seems to have no trouble.

It's just this one user that is magically authenticated with whatever 
credentials the spammer is sending - and I have NO IDEA what the spammer 
is sending. If I change the password and don't tell anyone, it still 
authenticates! But only with this user and account.

It was suggested that saslauthd was caching the credentials, but after 
restarting the whole machine (not just saslauthd) the problem persists.

So to sum up:

  o All the pieces work fine together, normally.
  o Authentication using LDAP succeeds where it should.
  o Saslauthd does it's thing with no problem.
  o Sendmail does it's thing with no problem.

  o Because it takes deleting the local user account to make the
    problem go away, I am led to believe that the failure is with
    PAM. I think that, when pam_ldap.so fails, it tries the system
    config and for some reason it authenticates the user.

See also 
https://groups.google.com/forum/#!topic/comp.mail.sendmail/bJLc1frenKg , 
where i posted some logs from the mail server.

Any help with this would be fantastic. Thanks,

Louis