Re: Enabling cyrus-sasl for gssapi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 15 Dec 2017 10:19:21 -0600 Dan White <dwhite@xxxxxxx> wrote:

> On 12/12/17 18:19 -0500, Mark Foley wrote:
> >It then goes on to discuss downloading cyrus-sasl, verifying SASL is configured
> >in Sendmail (mine is), etc..  Are you suggesting that SASL and saslauthd are
> >separate things and that I can use one (SASL) without the other (saslauthd)?
>
> saslauthd is part of Cyrus SASL, but Cyrus SASL does not require running
> saslauthd, and saslauthd cannot be used to perform direct SASL GSSAPI for
> server authentication.
>
> For documentation, consult /doc in the source, and:
>
> https://www.cyrusimap.org/sasl/
>

Dan - thanks for your response.

Yes, that's the exact page I've been consulting.

This site: http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cyrus-sasl.html
further advises downloading and applying *REQUIRED* patches:

cyrus-sasl-2.1.26-fixes-3.patch
cyrus-sasl-2.1.26-openssl-1.1.0-1.patch

Do you agree? 

The first listed patch is described as, "various package fixes, including
autotools fixes, plugin fixes, security fixes, parallel build fixes, etc.", and
was created Aug-24-2014. 

The 2nd patch has no description, but patches
cyrus-sasl-2.1.26-orig/plugins/ntlm.c and is dated May-07-2017 It applies to
openssl 1.1.0 whereas I have 1.0.2k (although it's patching plugin/ntlm.c, not
openssl, so I'm not sure my openssl version matters).

Finally, if you've read this far! You wrote in a previous message:

> I would personally not use saslauthd in the above manner [authenticating with
> sendmail].  If you have a controlled environment where your clients
> (Thunderbird) are known to support GSSAPI negotiation over the network, then
> configuring Sendmail to support GSSAPI directly is secure and recommended. 

The "configuring Sendmail to support GSSAPI directly" is the bit that got my
attention.  To clarify, in order to do Sendmail and GSSAPI directly I *do* need
SASL, but *do not* need saslauthd, right?

Thanks, Mark




[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux