|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: problem with Postfix 2.1 and SASL2 on Debian
From: Andreas Winkelmann (ml
awinkelmann.de)
Date: Sun Jul 25 2004 - 13:23:26 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Am Sonntag, 25. Juli 2004 20:10 schrieb Christoph Haas:
> > > auxprop should be working. See the new version of the tutorial for a
> > > solution.
> >
> > Which tutorial?
>
> The tutorial(s) at http://workaround.org that I am maintaining (with a
> lot of contributions from other Postfix users).
>
> > > This also eliminated the PAM disadvantage that only plaintext mechs can
> > > be used (due to the nature of PAM and it's lack of challenge-response
> > > capabilities). auxprop can use all kinds of mechs.
> >
> > Hmm, the main reason for this is the design of saslauthd. It speaks a
> > very easy protocol.
> >
> > Library -> saslauthd
> > - Hey, i have a username, password and servicename
Oups, i forgot the realm, sorry.
> Just out of curiosity... what is this "servicename"? Is it used by
> Cyrus only?
No, Postfix uses "smtp", you will find it, for example in PAM as "/etc/pam.d/
smtp". Another thing is the Applicationname, where Postfix uses "smtpd", this
is used for the Configurationfile ("/usr/lib/sasl2/smtpd.conf"). The
Application-Name is changable in actual Postfix-Versions.
> > saslauthd -> Library
> > - OK
> > - NOK
>
> Sounds as simple as Squid authenticators. :)
>
> > Thats all, no more. For the *-MD5 Mechanisms the Library must know the
> > Plaintext-Passwords.
> >
> > PAM can handle CleartextPasswords and IMHO it can give them to the
> > Application through the API. There are other disadvantages of PAM. For
> > example MemoryLeaks in some Plugins.
>
> I just (again) received an email from a frustrated reader with
> Debian/Woody who used my old suggestions (SASL->PAM->MySQL) which lead
> into problems. As SASL v1.x does not support the mech_list (as I just
> learned from your other posting) he could only authenticate using the
> PLAIN and LOGIN mechs. Although all mechs were offered during the
> STARTTLS. A smart MUA that tried CRAM-MD5 fails this way.
Yes, this is a pitfall. Sometimes it only happens after a long time, when you
change to a MUA which can handle more Mechanisms than the existing.
> I guess PAM should be avoided if possible. But what can we do about SASL
> 1.x? The libsasl-modules-plain package offers all these mechs:
>
> /usr/lib/sasl/liblogin.so.0.0.7
> /usr/lib/sasl/libcrammd5.so.1.0.19
> /usr/lib/sasl/libanonymous.so.1.0.17
> /usr/lib/sasl/libplain.so.1.0.16
The official way for sasl1 is to delete the Libs out of the Plugin-Directory.
--
Andreas
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]