On 02/19/15 11:38 -0800, Jan Parcel wrote:
1. Is there a scram sha-1 plugin by CMU ? If not, is there another
one with a BSD-style licence
that is recommended?
The SCRAM mechanism was added in the 2.1.25 release.
2. What is the best and most-secure way to use sendmail with sasl on
*nix to connect to AD
*without* keeping passwords in the clear? ("best" includes ease
of administration.....)
Between the sendmail server and the AD server, GSSAPI would be the obvious
choice.
If you need to support relay authentication from SMTP clients to the AD
server, GSSAPI is not a viable choice since many SMTP clients don't support
it.
Your other option (for relayed authentication) is to perform PLAIN over TLS
between the client and the sendmail server, which in turn performs
DIGEST-MD5 over TLS over LDAP to the AD server, which would protect the
password in transit over both legs of the network.
--
Dan White