libsasl + smtp w/o clear passwd storage?
Jan Parcel
jan.parcel at oracle.com
Fri Feb 5 16:44:18 EST 2016
On 02/05/2016 01:41 PM, Carson Gaspar via Cyrus-devel wrote:
> On 2/4/16 6:24 PM, Jan Parcel via Cyrus-devel wrote:
>> I think there MUST be a way to use libsasl with smtp without storing
>> passwords in the clear, and ESPECIALLY not on each local system, but
>> nowhere in the docs is an example for how to do so.
>
> This used to be possible using DIGEST-MD5, where the server stores
> MD5(username:realm:password) instead of the plaintext password. This
> is still a password equivalent, but only for the same realm (where you
> can define the realm as a single host, or service, or company, or...).
>
> Sadly, Cyrus SASL removed support for this long ago, and now requires
> the plaintext password be stored for anything other than auth methods
> that send the password in the clear. Nobody ever explained what the
> reasoning was for this change, and it still makes me sad.
>
Well, since md5 is now considered weak, that does not appear to be a loss.
So, I want PLAIN, saslauthd, somehow hooked into ldap, without any
auxprop plugins?
And use tls or whatever is available on the system for transit privacy?
More information about the Cyrus-devel
mailing list