cyrus-sasl mysql auth problem

Roberto C. Sanchez roberto at connexer.com
Sat Feb 10 10:07:01 EST 2007


On Sat, Feb 10, 2007 at 10:24:44AM +0100, Patrick Ben Koetter wrote:
> * Roberto C. Sanchez <roberto at connexer.com>:
> > On Fri, Feb 09, 2007 at 03:59:49PM -0500, Jeremiah Towe wrote:
> > > 
> > > mysql> select * from accountuser;
> > > | username         | password      | prefix       | domain_name      |
> > > | maxyourstats0001 | newtest       | maxyourstats | maxyourstats.com |
> > > 
> > This might be OT, but why on Earth would you store the password in
> > *plaintext* in the database?
> 
> Because shared-secret mechanisms require the password in plaintext for
> comparison?
> 

Hmm.  Then how do things like Postfix and Cyrus authenticate against
system user accounts?  Those are stored either crypt()ed or in md5
format.

I have a setup on a couple of servers using Postfix (SMTP AUTH for
sending) and Courier IMAP (authdaemon for IMAP access) and I store the
passwords MD5 encrypted in the database.  Of course, this essentially
mandates SSL encryption for anything requiring authentication, IIRC,
since PLAIN authentication must be used.

I have had no problems with this setup.  Personally, there is nothing
that would make me consider storing passwords in cleartext in the
database.

Regards,

-Roberto

-- 
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20070210/2b1cb864/attachment.bin


More information about the Cyrus-sasl mailing list