On 04/07/10 00:29 -0300, D G Teed wrote: >2010/7/2 Dan White <dwhite@xxxxxxx> > >> Cyrus imap will offer all available and initializable SASL >> authentication plugins it can find (see pluginviewer for that list). In >> the case where you have a plugin installed that you don't wish to offer, >> you can restrict the list of mechanisms with the sasl_mech_list option. >> >> If you're depending on saslauthd for authentication, you shouldn't be >> offering anything other than plain and login: >> >> sasl_mech_list: PLAIN LOGIN >> >Right, I had more in my list. And since I didn't have the cyrus-sasl-md5 >package before, the mentioning of MD5 mech types in the sasl_mech_list >didn't matter. > >I have read some comments that suggest the MD5 mech options only work with >sasl_pwcheck_method of auxprop, and won't work with pam via saslauthd. Is >that true? That seems to be what you are saying as well. If not the >case, I don't understand what would have been needed to enable the MD5 >types of auth mechanism. Any pointers to where the MD5 types of mech are >documented for configuration? See doc/components.html and doc/sysadmin.html within the Cyrus SASL source. The sasl_pwcheck_method is not, and cannot be, used for CRAM-MD5 or DIGEST-MD5. It's only appropriate for mechanisms which receive a password from the client. For imapd, that would be the PLAIN and LOGIN mechanisms, and the pre-sasl login command. Cyrus SASL requires that shared secrets be stored within an auxprop store, such as sasldb. Regardless of what your sasl_pwcheck_method configuration is, sasl will always use your auxprop plugin(s) to service the DIGEST-MD5 plugin. To use DIGEST-MD5, you could use saslpasswd2 to store user credentials within /etc/sasldb2. saslauthd, and pam, cannot perform the required handshaking that DIGEST-MD5 requires, since the neither have knowledge of what the shared secret (password) is. >For some reason, IMAP connections using TLS were not impacted by the >change. I'm not sure of all of the ways it was broken because I wanted to >get the service back up ASAP, but I do know Horde webmail was unable to >connect using IMAP and notls. More than likely you were dealing with clients that failed the DIGEST-MD5 authentication and then fell back to PLAIN or pre-sasl login. If 'allowplaintext' is disabled in your imapd.conf, then PLAIN, LOGIN, and pre-sasl login can only be achieved in the presence of TLS or some other encryption. 'allowplaintext: 0' will prevent a clear text password from being sniffed over the wire. -- Dan White ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
