Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [suse-security] postfix/imap/cyrus-sasl and Pam backend
From: Markus Feilner (listsfeilner-it.net)
Date: Wed Mar 10 2004 - 09:02:52 CST
Am Mittwoch, 10. März 2004 15:34 schrieb Andreas Winkelmann:
> > O.K.
> > I made postfix use SASL auth - by the parameters above means, it
> > uses saslauthd for authentikation. Right?
> > saslauthd is configured to auth against pam. Right?
> > But: saslauthd uses User/Password combinations from sasldb. Why?
> No. saslauthd and sasldb are two diffrent things.
OK. I believe you.
But it does not behave as i want to:
I have sytem user xxx with password yyy (pam) and saslaccount xxx with
password zzz in sasldb.
Why can this user only send (smtp) and recieve mail (imap) when he
enters his sasldb password zzz, even though the setup of saslauthd is
configured for pam? saslauthd is obviously using pam because only PLAIN
and LOGIN are allowed, trying other methods creates errors.
When I give my mail client the user data from the pam account user=xxx
password=yyy, i get "SASL PLAIN authentication failed".
> > Where is my mistake?
> > > > (BTW: Why does sasl with PAM only work with PLAIN?)
> > >
> > > It works with plain and login.
> > Sorry, You are right. But I want to understand, why I cannot use
> > either MD5 methods for that...
> To use the *-MD5 Mechanisms, Cyrus-SASL needs access to the
> unencrypted plaintext-password. This based on the algorithms how
> these hashes are computed.
> The other reason is saslauthd itself. It speaks a protocol where the
> Lib only asks saslauthd if the password is correct:
> Lib -> saslauthd : Is "User","Realm","Password" Ok
> saslauthd -> Lib: "Ok" / "Not Ok"
> That's all, no way to exchange a password.
OK. I understand.
That's why tls must be sufficient here.
Thanks a lot!
Mit freundlichen Grüßen
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23 - mobil: +49 170 302 709 2
web: http://feilner-it.net mail: mfeilnerfeilner-it.net
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here