Re: Please - correct me if I'm wrong - auxprop sasldb versus saslauthd sasldb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dan White schrieb:
Sascha Vogt wrote:
Hi List!

Should those two /usr/lib/sasl2/Sendmail.conf files do the same or not?

-------------------Sendmail.conf variant 1-----------------------------
pwcheck_method: saslauthd
mech_list: login plain
--------------------------------------------------------------------------------
Together with that, saslauthd ist started with "-a sasldb".

------------------Sendmail.conf variant 2------------------------------
pw_check_method: auxprop
auxprop_plugin: sasldb
mech_list: login plain
--------------------------------------------------------------------------------
With that, saslauthd can stay asleep.


Sascha,

You've got a typo in the second config. 'pw_check_method' is wrong.

Also, you may want to look at your mail.log and auth.log files for errors.

- Dan
Hi Dan!

Thanks for the hint, but this was just a typo in my message. It was late and all I want to know is - should both configurations (without typos) do basicly the same, or not?

To clear things up. The original target was and is a setup with sendmail offering optional SSL and TLS. Plain, login, cram-md5 and digest-md5 as auth-mechs, all against (cleartext) credentials in OpenLDAP via auxprop and ldapdb. I got OpenLDAP working with sshd via PAM (actually using saslauthd). But couldn't get sendmail to do it's job. So I tried narrow the problem by trying it with auxprop and sasldb, which didn't work either. Then I tried it with saslauthd and sasldb which worked. It even worked with openldap (only plain and login mechs of course). Problem is, that saslauthd doesn't allow sendmail to use *-md5 mechs.

Anyway it's kind of frustating. I really would love an option for libsasl to produce some lines in my logs. Things like who called, asked for what, where it searched for what, and what it found there. And which plugins were used to do all that. Since SASL is a little hydra with so many ways to do and configure things, that would help a lot. In my personal opinion, I believe that's one of the reasons why people stick with weak, out of the box security, because doing it the right way drives them crazy or even worse, back to Redmond.

Sticking to PLAIN and LOGIN is simply inacceptible, since everybody who can catch a peace of mail.log (maybe from a backup) and understands base64 encoding receives all other user-credentials served for free. And SSL or TLS would not help to prevent this. Of course I could run a lower log_level than 29, but there are reasons to stay with it.

Sorry for that... It had to be said...

Sascha



[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux