On Fri, 15 Dec 2017 10:19:21 -0600 Dan White <dwhite@xxxxxxx> wrote: > On 12/12/17 18:19 -0500, Mark Foley wrote: > >It then goes on to discuss downloading cyrus-sasl, verifying SASL is configured > >in Sendmail (mine is), etc.. Are you suggesting that SASL and saslauthd are > >separate things and that I can use one (SASL) without the other (saslauthd)? > > saslauthd is part of Cyrus SASL, but Cyrus SASL does not require running > saslauthd, and saslauthd cannot be used to perform direct SASL GSSAPI for > server authentication. > > For documentation, consult /doc in the source, and: > > https://www.cyrusimap.org/sasl/ > Dan - thanks for your response. Yes, that's the exact page I've been consulting. This site: http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cyrus-sasl.html further advises downloading and applying *REQUIRED* patches: cyrus-sasl-2.1.26-fixes-3.patch cyrus-sasl-2.1.26-openssl-1.1.0-1.patch Do you agree? The first listed patch is described as, "various package fixes, including autotools fixes, plugin fixes, security fixes, parallel build fixes, etc.", and was created Aug-24-2014. The 2nd patch has no description, but patches cyrus-sasl-2.1.26-orig/plugins/ntlm.c and is dated May-07-2017 It applies to openssl 1.1.0 whereas I have 1.0.2k (although it's patching plugin/ntlm.c, not openssl, so I'm not sure my openssl version matters). Finally, if you've read this far! You wrote in a previous message: > I would personally not use saslauthd in the above manner [authenticating with > sendmail]. If you have a controlled environment where your clients > (Thunderbird) are known to support GSSAPI negotiation over the network, then > configuring Sendmail to support GSSAPI directly is secure and recommended. The "configuring Sendmail to support GSSAPI directly" is the bit that got my attention. To clarify, in order to do Sendmail and GSSAPI directly I *do* need SASL, but *do not* need saslauthd, right? Thanks, Mark
