howto use sasl

Sun Mar 5 16:36:19 EST 2006

Am So, den 05.03.2006 schrieb julius Junghans um 21:11:

> Thx for the documents, but as mentioned on the first page its still 
> difficult.

> /etc/sasl2/smtpd.conf
> #global
> pwcheck_method: sasldb

That is not proper with SASLv2. You must use

pwcheck_method: auxprop
auxprop_plugin: sasldb

But you can omit that, as it is the default and automatic fallback
backend method.

> log_level: 4
> mech_list: DIGEST-MD5
> 
> #auxiliary plugin parameters
> #auxprop_plugin: sasldb
> sasldb_path: /etc/sasl2/sasldb2
> 
> #not safe, testing only
> ls -lh /etc/sasl2/
> insgesamt 392K
> lrwxrwxrwx  1 root root   10  5. Mär 20:40 sample.conf -> smtpd.conf
> -rwxrwxrwx  1 root root 385K  5. Mär 20:45 sasldb2

Awful permissions! Secure the auth data in there by setting proper unix
permissions.

> -rwxrwxrwx  1 root root  265  5. Mär 20:52 smtpd.conf
> 
> 
> #my test user:
> saslpasswd2 -c sales -u schleppi.localdomain
>
> #/etc/hosts
> 192.168.10.66   schleppi.localdomain    schleppi
> 
> 
> sasldblistusers2
> sales at schleppi.localhost: userPassword
> 
> 
> 
> #client
> ./client -p 30000 localhost -m DIGEST-MD5
> receiving capability list... recv: {46}
> ANONYMOUS CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM
> ANONYMOUS CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM
> send: {10}
> DIGEST-MD5
> send: {1}
> N
> recv: {113}
> nonce="dSTaTSBVCxPa3ul0sopC+O856Eh7k2m5wronG5MJYmc=",realm="schleppi",qop="auth",charset=utf-8,algorithm=md5-sess

According to your sasldb2 / saslpasswd your realm is
"schleppi.localdomain" and not "schleppi".

> please enter an authentication id: sales
> please enter an authorization id: sales
> Password:
> send: {231}
> username="sales",realm="schleppi",nonce="dSTaTSBVCxPa3ul0sopC+O856Eh7k2m5wronG5MJYmc=",cnonce="+/3GCg5O7oVdYW0PIEKX9t97CCUzbSRWoPbEMeHFk2s=",nc=00000001,qop=auth,digest-uri="rcmd/localhost",response=8bd84aa26eb1d8b2eabe91a67ae33dbb
> authentication failed
> closing connection
> 
> 
> #server
> ./server -s rcmd -p 30000 -m DIGEST-MD5         ### whats this rcmd 
> service? its used in vortrag_cyrus_SASL.pdf
> trying 2, 1, 6
> trying 10, 1, 6
> socket: Address family not supported by protocol
> accepted new connection
> send: {10}
> DIGEST-MD5
> recv: {10}
> DIGEST-MD5
> recv: {1}
> N
> send: {113}
> nonce="xUDjZNEzv6FHtF3R8veYONSMFz1/ccwuHyCuWAfakFA=",realm="schleppi",qop="auth",charset=utf-8,algorithm=md5-sess
> recv: {231}
> username="sales",realm="schleppi",nonce="xUDjZNEzv6FHtF3R8veYONSMFz1/ccwuHyCuWAfakFA=",cnonce="YfLO87mIQCYN9MO2pegvY8oaFXk0xfMCT8Fuzxe/eJ8=",nc=00000001,qop=auth,digest-uri="rcmd/localhost",response=2c38b9309e288dd75d866c5d3892d118

realm mismatch here too.

> performing SASL negotiation: user not foundclosing connection
> 
> 
> okay, so the user isn't found, why?

Alexander

-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 22:28:48 up 10 days, 17 users, load average: 0.11, 0.19,
0.18 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20060305/e71a696f/attachment.bin