Re: saslauth configuration question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/14/13 19:39 +0000, Charles Bradshaw wrote:

I am considering switching my smptd from sendmail to postfix, but I am a
little confused.

The following snip from http://www.postfix.org/SASL_README.html

"
/etc/sasl2/smtpd.conf:
   pwcheck_method: saslauthd
   mech_list: PLAIN LOGIN

Do not specify any other mechanisms in mech_list than PLAIN or LOGIN when
using saslauthd! It can only handle these two mechanisms, and authentication
will fail if clients are allowed to choose other mechanisms.
"

Appears to be wrong! I have the sasl2 configuration:

/etc/sasl2/Sendmail.conf:
   pwcheck_method: saslauthd
   mech_list: DIGEST-MD5 PLAIN


DEFINITELY WORKING <<


Admittedly, I am using sendmail and not postfix so perhaps I have a miss
configuartion somewhere. The server in question is using /etc/salsdb with some
test users NOT having accounts on the server and the debug dialogs clearly
show that DIGEST-MD5 is being used.

The above quote, cut and paste from the readme, contains a clear enough
statement, except for the grammer, ie the word "other" missing  between the
words "mech_list" and "than". But:

I'm confused because I have a solid, tested, working example which contradicts
the postfix readme.

Is the operation of Sendmail.conf somehow different to smtpd.conf?

Further on the readme does say:

/etc/sasl2/smtpd.conf:
   pwcheck_method: auxprop
   auxprop_plugin: sasldb
   mech_list: CRAM-MD5 PLAIN

Which also works.

Is there a rational explanation or do I just put it down to a ghost in the
machine?


What saslauthd backend are you using?

Typically saslauthd is not used when you store users in sasldb. It can be
used with sasldb if compiled to do so, and chosen with '-a sasldb'. If your
users are stored within sasldb, you should be doing 'pwcheck_method:
auxprop', instead of running saslauthd, to save yourself some overhead.

pwcheck_method only affects PLAIN and LOGIN authentications. shared-secret
mechanisms such as DIGEST-MD5 will use your auxprop configuration (such as
sasldb) to authenticate the user.

For an overview, see:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/components.php

--
Dan White
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux