libsasl + smtp w/o clear passwd storage?

Jan Parcel jan.parcel at
Fri Feb 5 16:44:18 EST 2016

On 02/05/2016 01:41 PM, Carson Gaspar via Cyrus-devel wrote:
> On 2/4/16 6:24 PM, Jan Parcel via Cyrus-devel wrote:
>> I think there MUST be a way to use libsasl with smtp without storing
>> passwords in the clear, and ESPECIALLY not on each local system, but
>> nowhere in the docs is an example for how to do so.
> This used to be possible using DIGEST-MD5, where the server stores 
> MD5(username:realm:password) instead of the plaintext password. This 
> is still a password equivalent, but only for the same realm (where you 
> can define the realm as a single host, or service, or company, or...).
> Sadly, Cyrus SASL removed support for this long ago, and now requires 
> the plaintext password be stored for anything other than auth methods 
> that send the password in the clear. Nobody ever explained what the 
> reasoning was for this change, and it still makes me sad.
Well, since md5 is now considered weak, that does not appear to be a loss.

So, I want PLAIN, saslauthd, somehow hooked into ldap, without any 
auxprop plugins?

And use tls or whatever is available on the system for transit privacy?

More information about the Cyrus-devel mailing list