On 12/15/17 12:21 -0500, Mark Foley wrote:
Yes, that's the exact page I've been consulting.
This site: http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cyrus-sasl.html
further advises downloading and applying *REQUIRED* patches:
cyrus-sasl-2.1.26-fixes-3.patch
cyrus-sasl-2.1.26-openssl-1.1.0-1.patch
I haven't reviewed the patches, but it's probably a good idea to used them,
unless you're using a 2.1.27 prerelease, or you could download the
source+patches for your base system (e.g. Debian or Redhat).
Finally, if you've read this far! You wrote in a previous message:
I would personally not use saslauthd in the above manner [authenticating with
sendmail]. If you have a controlled environment where your clients
(Thunderbird) are known to support GSSAPI negotiation over the network, then
configuring Sendmail to support GSSAPI directly is secure and recommended.
The "configuring Sendmail to support GSSAPI directly" is the bit that got my
attention. To clarify, in order to do Sendmail and GSSAPI directly I *do* need
SASL, but *do not* need saslauthd, right?
Yes, that's correct. You'd configure Sendmail to use the GSSAPI
authentication plugin, but not PLAIN or LOGIN, which would make saslauthd
irrelevant.