Re: 2 cyrus-sasl questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 02/19/15 11:38 -0800, Jan Parcel wrote:
1. Is there a scram sha-1 plugin by CMU ? If not, is there another one with a BSD-style licence
    that is recommended?

The SCRAM mechanism was added in the 2.1.25 release.

2. What is the best and most-secure way to use sendmail with sasl on *nix to connect to AD *without* keeping passwords in the clear? ("best" includes ease of administration.....)

Between the sendmail server and the AD server, GSSAPI would be the obvious

If you need to support relay authentication from SMTP clients to the AD
server, GSSAPI is not a viable choice since many SMTP clients don't support

Your other option (for relayed authentication) is to perform PLAIN over TLS
between the client and the sendmail server, which in turn performs
DIGEST-MD5 over TLS over LDAP to the AD server, which would protect the
password in transit over both legs of the network.

Dan White

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux