Re: 2 cyrus-sasl questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/19/15 12:13 PM, Dan White wrote:
On 02/19/15 11:38 -0800, Jan Parcel wrote:
1. Is there a scram sha-1 plugin by CMU ? If not, is there another one with a BSD-style licence
    that is recommended?

The SCRAM mechanism was added in the 2.1.25 release.
So scram is the same as scram-sha1 ?  I see a lot of ifs in scram.c


2. What is the best and most-secure way to use sendmail with sasl on *nix to connect to AD *without* keeping passwords in the clear? ("best" includes ease of administration.....)

Between the sendmail server and the AD server, GSSAPI would be the obvious
choice.

If you need to support relay authentication from SMTP clients to the AD
server, GSSAPI is not a viable choice since many SMTP clients don't support
it.

Your other option (for relayed authentication) is to perform PLAIN over TLS
between the client and the sendmail server, which in turn performs
DIGEST-MD5 over TLS over LDAP to the AD server, which would protect the
password in transit over both legs of the network.

Thanks!  And that keeps nothing in the clear?




[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux