|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: problem with Postfix 2.1 and SASL2 on Debian
From: Andreas Winkelmann (ml
awinkelmann.de)
Date: Sun Jul 25 2004 - 22:38:49 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Am Sonntag, 25. Juli 2004 21:53 schrieb Christoph Haas:
> > > I just (again) received an email from a frustrated reader with
> > > Debian/Woody who used my old suggestions (SASL->PAM->MySQL) which lead
> > > into problems. As SASL v1.x does not support the mech_list (as I just
> > > learned from your other posting) he could only authenticate using the
> > > PLAIN and LOGIN mechs. Although all mechs were offered during the
> > > STARTTLS. A smart MUA that tried CRAM-MD5 fails this way.
> >
> > Yes, this is a pitfall. Sometimes it only happens after a long time, when
> > you change to a MUA which can handle more Mechanisms than the existing.
> >
> > > I guess PAM should be avoided if possible. But what can we do about
> > > SASL 1.x? The libsasl-modules-plain package offers all these mechs:
> > >
> > > /usr/lib/sasl/liblogin.so.0.0.7
> > > /usr/lib/sasl/libcrammd5.so.1.0.19
> > > /usr/lib/sasl/libanonymous.so.1.0.17
> > > /usr/lib/sasl/libplain.so.1.0.16
> >
> > The official way for sasl1 is to delete the Libs out of the
> > Plugin-Directory.
>
> Just to make sure I'm not completely confused. This problem only occurs
> if I use encrypted (MD5-hashed) passwords, right? I switched the setup
> from encrypted to plaintext passwords that I read from the pam_mysql.so.
> IMHO that should solve it as SASL gets the plaintext password from
> PAM/MySQL and can build the challenge string for CRAM-MD5.
To use the *-MD5 Mechanisms the SASL-Library _needs_ the _unencrypted_
Passwords.
need: saslauthd has no possibility to give the Password to the Library. And
for sasl1, if you use pam directly, i don't think it is used to fetch
passwords from the Storage. It only verifies Passwords.
unencrypted: To compute the hashes, which are used for the *-MD5 Mechanisms,
*both* sides need the Plaintext-Password.
The only way to use the *-MD5 Mechanisms is with auxprop (sasldb/mysql/sql/
ldapdb) as method.
> I had tested it myself but Mozilla Thunderbird seems to use "PLAIN"
> and I have no other MUA at hand.
I think TB can use *-MD5 Mechs as well. You should check if your Postfix
offers the *-MD5 Mechanisms to the MUA.
But let's stop this Thread. Wietse is right, these are Cyrus-SASL Basics and
should be discussed in the sasl-ml. If the SASL-List is empty, the sasl-folks
think the world is fine and next time the domain-part is dropped with
Auxprop ;-)
(No i'm away for a few days).
--
Andreas
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]