Please - correct me if I'm wrong - auxprop sasldb versus saslauthd sasldb
Sascha Vogt
cyradm at papa.at
Mon Aug 25 16:45:33 EDT 2008
Dan White schrieb:
> Sascha Vogt wrote:
>> Hi List!
>>
>> Should those two /usr/lib/sasl2/Sendmail.conf files do the same or not?
>>
>> -------------------Sendmail.conf variant 1-----------------------------
>> pwcheck_method: saslauthd
>> mech_list: login plain
>> --------------------------------------------------------------------------------
>>
>> Together with that, saslauthd ist started with "-a sasldb".
>>
>> ------------------Sendmail.conf variant 2------------------------------
>> pw_check_method: auxprop
>> auxprop_plugin: sasldb
>> mech_list: login plain
>> --------------------------------------------------------------------------------
>>
>> With that, saslauthd can stay asleep.
>>
>
> Sascha,
>
> You've got a typo in the second config. 'pw_check_method' is wrong.
>
> Also, you may want to look at your mail.log and auth.log files for
> errors.
>
> - Dan
Hi Dan!
Thanks for the hint, but this was just a typo in my message. It was late
and all I want to know is - should both configurations (without typos)
do basicly the same, or not?
To clear things up. The original target was and is a setup with sendmail
offering optional SSL and TLS. Plain, login, cram-md5 and digest-md5 as
auth-mechs, all against (cleartext) credentials in OpenLDAP via auxprop
and ldapdb. I got OpenLDAP working with sshd via PAM (actually using
saslauthd). But couldn't get sendmail to do it's job. So I tried narrow
the problem by trying it with auxprop and sasldb, which didn't work
either. Then I tried it with saslauthd and sasldb which worked. It even
worked with openldap (only plain and login mechs of course). Problem is,
that saslauthd doesn't allow sendmail to use *-md5 mechs.
Anyway it's kind of frustating. I really would love an option for
libsasl to produce some lines in my logs. Things like who called, asked
for what, where it searched for what, and what it found there. And which
plugins were used to do all that. Since SASL is a little hydra with so
many ways to do and configure things, that would help a lot. In my
personal opinion, I believe that's one of the reasons why people stick
with weak, out of the box security, because doing it the right way
drives them crazy or even worse, back to Redmond.
Sticking to PLAIN and LOGIN is simply inacceptible, since everybody who
can catch a peace of mail.log (maybe from a backup) and understands
base64 encoding receives all other user-credentials served for free. And
SSL or TLS would not help to prevent this. Of course I could run a lower
log_level than 29, but there are reasons to stay with it.
Sorry for that... It had to be said...
Sascha
More information about the Cyrus-sasl
mailing list