On 02/19/15 12:13 PM, Dan White wrote:
On 02/19/15 11:38 -0800, Jan Parcel wrote:
1. Is there a scram sha-1 plugin by CMU ? If not, is there another
one with a BSD-style licence
that is recommended?
The SCRAM mechanism was added in the 2.1.25 release.
So scram is the same as scram-sha1 ? I see a lot of ifs in scram.c
2. What is the best and most-secure way to use sendmail with sasl on
*nix to connect to AD
*without* keeping passwords in the clear? ("best" includes ease
of administration.....)
Between the sendmail server and the AD server, GSSAPI would be the
obvious
choice.
If you need to support relay authentication from SMTP clients to the AD
server, GSSAPI is not a viable choice since many SMTP clients don't
support
it.
Your other option (for relayed authentication) is to perform PLAIN
over TLS
between the client and the sendmail server, which in turn performs
DIGEST-MD5 over TLS over LDAP to the AD server, which would protect the
password in transit over both legs of the network.
Thanks! And that keeps nothing in the clear?
