On 10/04/2010 11:07 AM, Dan White wrote:
>
> You can connect via a non plaintext mechanism, like digest-md5.
>
This seems like a straightforward case of RTFM, but how does one
determine the auth mechanism? I'm using saslauthd, pam, and have a
self-signed certificate (which I know works):
---------------------------------
ibis:~~$ cyradm --auth digest-md5 --tlskey
/etc/ssl/private/ssl-cert-mail.internetbs.com.key localhost
[ unable to get certificate from
'/etc/ssl/private/ssl-cert-mail.internetbs.com.key' ]
[ TLS engine: cannot load cert/key data, might be a cert/key mismatch]
[ TLS engine failed ]
^C
ibis:~~$
ibis:~ssl$ sudo ls -l /etc/ssl/private
total 8
-rw-r----- 1 root ssl-cert 887 2009-09-13 14:02
ssl-cert-mail.internetbs.com.key
-rw-r----- 1 root ssl-cert 887 2010-04-11 14:00 ssl-cert-snakeoil.key
ibis:~ssl$ groups cyrus
cyrus : mail sasl ssl-cert
--------------------------------
Maybe the problem is I'm still not 100% clear on how SASL works.
I have saslauthd running with
MECHANISMS="pam"
OPTIONS="-c -m /var/run/saslauthd"
However, there's no sasl pam.d config file -- presumably SASL somehow uses
/etc/pam.d/imap
/etc/pam.d/lmtp
??? I don't have lmtp running in a chroot jail, which is how I can get
away with this. smtp does run in a chroot jail, but has it's own
saslauthd with
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
I don't remember anyone mentioning this possibility (running multiple
saslauthd daemons) in any howto; most people seem to jump through
inordinate hoops to get all other programs to use the sasl socket in the
smtp chroot jail, which seems to unnecessarily complicate things.
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
