libsasl + smtp w/o clear passwd storage?
Dan White
dwhite at olp.net
Fri Feb 5 17:26:26 EST 2016
On 02/05/16 13:44 -0800, Jan Parcel via Cyrus-devel wrote:
>On 02/05/2016 01:41 PM, Carson Gaspar via Cyrus-devel wrote:
>>On 2/4/16 6:24 PM, Jan Parcel via Cyrus-devel wrote:
>>>I think there MUST be a way to use libsasl with smtp without storing
>>>passwords in the clear, and ESPECIALLY not on each local system, but
>>>nowhere in the docs is an example for how to do so.
>>
>>This used to be possible using DIGEST-MD5, where the server stores
>>MD5(username:realm:password) instead of the plaintext password. This
>>is still a password equivalent, but only for the same realm (where
>>you can define the realm as a single host, or service, or company,
>>or...).
>>
>>Sadly, Cyrus SASL removed support for this long ago, and now
>>requires the plaintext password be stored for anything other than
>>auth methods that send the password in the clear. Nobody ever
>>explained what the reasoning was for this change, and it still makes
>>me sad.
>>
>Well, since md5 is now considered weak, that does not appear to be a loss.
>
>So, I want PLAIN, saslauthd, somehow hooked into ldap, without any
>auxprop plugins?
>
>And use tls or whatever is available on the system for transit privacy?
There is a flexible ldap backend to saslauthd. See saslauthd/LDAP_SASLAUTHD
in the source code for documentation.
Another approach is to use the pam backend, and use a pam ldap module to
handle authentication, which makes since if you're already using one for
other authentication systems.
--
Dan White
More information about the Cyrus-devel
mailing list