On Sat, Mar 6, 2021 at 10:03 PM Mark Constable via SASL <sasl@xxxxxxxxxxxxxxxxxx> wrote:
Thanks to you Dan I have auth working directly with MySQL without pam_mysql. Now that I can see something working and can follow more specific google queries I see that this approach is limited to storing clear text passwords. Using pam_mysql offers a couple of extra crypted options but still nothing like Dovecots SHA512-CRYPT so I guess I'll eventually look into using Couriers authdaemond to see what it offers (I used to use the full Courier suite 10 years ago).
There is undocumented support for verifying passwords against a hash, within the sql and sasldb auxprop plugins, I believe but you'd need to consult the source for how to use it. I'm not brave enough to try.
Using authdaemond within cyrus will have similar restrictions to saslauthd in that you won't be able to use it for any mechanisms outside of login and plain. The pwcheck_method won't apply to any other mechanisms. Other shared secret mechanisms such as digest-md5 will always use your configured auxprop plugin, because they generally require your server to have access to the shared secret (in clear text).