|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: 2.3 and Dovecot SASL
From: Udo Rader (udo.rader
bestsolution.at)
Date: Fri Apr 28 2006 - 14:14:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 2006-04-28 at 14:01 -0500, Anthony Messina wrote:
> Udo Rader wrote:
>
> <cut>
> > Our current setup is postfix using Cyrus SASL and dovecot using it's
> > native SASL implementation. From our POV this has one major drawback,
> > namely DIGEST/CRAM authentication in connection with LDAP. For
> > Cyrus-SASL you are bound to the userPassword attribute and thus need to
> > have it stored plaintext in LDAP. This again means that services like
> > ssh, ... will also use this plaintext password. At least for us this is
> > ugly and a potential security risk, as some of our users are allowed to
> > connect via ssh as well.
> >
> > Dovecot OTOH let's you specify the attribute you want to use for SASL
> > authentication and thus allows to have a completely seperate password
> > for mail (which is what we prefer, no "single sign on" for
> > services/applications abused very often, like MUAs).
> <end cut>
>
> sorry to impose...
>
> i have PLAIN and LOGIN options for postfix sasl auth and have salsauthd
> query ldap directly and do not need plaintext passwords in ldap. i also
> used to have saslauthd use pam and did not need plaintext passwords in ldap.
>
> i do understand that DIGEST and CRAM won't work this way, but since
> neither of those are recommended over an unencrypted connection, you
> "should use tls" anyway. in that case, why not have postfix and imap
> set to PLAIN and/or LOGIN using cyrus-sasl but have the connection
> encrypted? that way you wouldn't have to have plaintext password in ldap.
no, the major advantage of DIGEST-MD5 or CRAM-MD5 connections is that
the passwords actually never are transmitted over the wires, instead a
challenge-response mechanism is in place. The server (the SASL side of
postfix in that case) makes a challenge, that happens to be some
arbitrary string encrypted with the user's password. The challenge is
sent over to the client that is authorized, if it is able to meet the
challenge by returning the unencrypted arbitrary string.
So DIGEST-MD5 and CRAM-MD5 authentication is definitively the best
choice for _unencrypted_ connections, because the password cannot be
sniffed anywhere. And TLS is of course a good choice, but only unless
you are willing to burden your servers with TLS. Encryption becomes
expensive if everybody is using it ...
Udo Rader
--
BestSolution.at EDV Systemhaus GmbH
http://www.bestsolution.at
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQBEUmmquhFd84GLxP8RAkXfAJ0Y3Y0AcTvuliP6pijVr30Cs43f+gCfVP0d
zva7ALoVEn+c9+KQoIq4S8Y=
=MrQ7
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]