libsasl + smtp w/o clear passwd storage?

Dan White dwhite at
Fri Feb 5 17:26:26 EST 2016

On 02/05/16 13:44 -0800, Jan Parcel via Cyrus-devel wrote:
>On 02/05/2016 01:41 PM, Carson Gaspar via Cyrus-devel wrote:
>>On 2/4/16 6:24 PM, Jan Parcel via Cyrus-devel wrote:
>>>I think there MUST be a way to use libsasl with smtp without storing
>>>passwords in the clear, and ESPECIALLY not on each local system, but
>>>nowhere in the docs is an example for how to do so.
>>This used to be possible using DIGEST-MD5, where the server stores 
>>MD5(username:realm:password) instead of the plaintext password. This 
>>is still a password equivalent, but only for the same realm (where 
>>you can define the realm as a single host, or service, or company, 
>>Sadly, Cyrus SASL removed support for this long ago, and now 
>>requires the plaintext password be stored for anything other than 
>>auth methods that send the password in the clear. Nobody ever 
>>explained what the reasoning was for this change, and it still makes 
>>me sad.
>Well, since md5 is now considered weak, that does not appear to be a loss.
>So, I want PLAIN, saslauthd, somehow hooked into ldap, without any 
>auxprop plugins?
>And use tls or whatever is available on the system for transit privacy?

There is a flexible ldap backend to saslauthd. See saslauthd/LDAP_SASLAUTHD
in the source code for documentation.

Another approach is to use the pam backend, and use a pam ldap module to
handle authentication, which makes since if you're already using one for
other authentication systems.

Dan White

More information about the Cyrus-devel mailing list