Re: Enabling cyrus-sasl for gssapi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Fri, Dec 15, 2017 at 12:21:42PM -0500, Mark Foley wrote:
> On Fri, 15 Dec 2017 10:19:21 -0600 Dan White <dwhite@xxxxxxx> wrote:
> > On 12/12/17?18:19?-0500, Mark Foley wrote:
> > >It then goes on to discuss downloading cyrus-sasl, verifying SASL is configured
> > >in Sendmail (mine is), etc..  Are you suggesting that SASL and saslauthd are
> > >separate things and that I can use one (SASL) without the other (saslauthd)?

Sorry, I'm coming in to the conversation late and I think I missed the
first message.  I was just checking out the source for Slackware and it
didn't look to me like `sendmail' is being built with sasl support at
least not looking at the site.config.m4 provided with the distro. Take a
look at:
APPENDDEF(`conf_libmilter_ENVDEF', `-DMILTER')

Here is the site.config.m4 stuff from the SlackBuild
cat $CWD/site.config.m4 | sed "s,@LIBDIRSUFFIX@,$LIBDIRSUFFIX," \
  > devtools/Site/site.config.m4

$ grep SASL devtools/Site/site.config.m4.sample                                                                                                              

I'm not sure why one would include cyrus-sasl and not implement it with
sendmail. My only guess would be since you have the option at install
time not to install cyrus-sasl they don't want it to break the install
of sendmail perhaps.

On the plus side it looks like cyrus-sasl enables `gssapi' by default in
the configure script. However, you may want to add a line to the cyrus
slackbuild to choose your preferred gssapi mech.


The default is auto and without going further down the rabbit hole I
don't know what auto would be on Slack and it may not be what you want.
> >
> > saslauthd is part of Cyrus SASL, but Cyrus SASL does not require running
> > saslauthd, and saslauthd cannot be used to perform direct SASL GSSAPI for
> > server authentication.
> >
> > For documentation, consult /doc in the source, and:
> >
> >
> >
> Dan - thanks for your response.
> Yes, that's the exact page I've been consulting.
> This site:
> further advises downloading and applying *REQUIRED* patches:
> cyrus-sasl-2.1.26-fixes-3.patch
> cyrus-sasl-2.1.26-openssl-1.1.0-1.patch
> Do you agree? 
> The first listed patch is described as, "various package fixes, including
> autotools fixes, plugin fixes, security fixes, parallel build fixes, etc.", and
> was created Aug-24-2014. 
> The 2nd patch has no description, but patches
> cyrus-sasl-2.1.26-orig/plugins/ntlm.c and is dated May-07-2017 It applies to
> openssl 1.1.0 whereas I have 1.0.2k (although it's patching plugin/ntlm.c, not
> openssl, so I'm not sure my openssl version matters).
> Finally, if you've read this far! You wrote in a previous message:
> > I would personally not use saslauthd in the above manner [authenticating with
> > sendmail].  If you have a controlled environment where your clients
> > (Thunderbird) are known to support GSSAPI negotiation over the network, then
> > configuring Sendmail to support GSSAPI directly is secure and recommended. 
> The "configuring Sendmail to support GSSAPI directly" is the bit that got my
> attention.  To clarify, in order to do Sendmail and GSSAPI directly I *do* need
> SASL, but *do not* need saslauthd, right?
> Thanks, Mark

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux