Please - correct me if I'm wrong - auxprop sasldb versus saslauthd sasldb

Sascha Vogt cyradm at papa.at
Mon Aug 25 16:45:33 EDT 2008


Dan White schrieb:
> Sascha Vogt wrote:
>> Hi List!
>>
>> Should those two /usr/lib/sasl2/Sendmail.conf files do the same or not?
>>
>> -------------------Sendmail.conf variant 1-----------------------------
>> pwcheck_method: saslauthd
>> mech_list: login plain
>> -------------------------------------------------------------------------------- 
>>
>> Together with that, saslauthd ist started with "-a sasldb".
>>
>> ------------------Sendmail.conf variant 2------------------------------
>> pw_check_method: auxprop
>> auxprop_plugin: sasldb
>> mech_list: login plain
>> -------------------------------------------------------------------------------- 
>>
>> With that, saslauthd can stay asleep.
>>
>
> Sascha,
>
> You've got a typo in the second config. 'pw_check_method' is wrong.
>
> Also, you may want to look at your mail.log and auth.log files for 
> errors.
>
> - Dan
Hi Dan!

Thanks for the hint, but this was just a typo in my message. It was late 
and all I want to know is - should both configurations (without typos) 
do basicly the same, or not?

To clear things up. The original target was and is a setup with sendmail 
offering optional SSL and TLS. Plain, login, cram-md5 and digest-md5 as 
auth-mechs, all against (cleartext) credentials in OpenLDAP via auxprop 
and ldapdb. I got OpenLDAP working with sshd  via PAM (actually using 
saslauthd). But couldn't get sendmail to do it's job. So I tried narrow 
the problem by trying it with auxprop and sasldb, which didn't work 
either. Then I tried it with saslauthd and sasldb which worked. It even 
worked with openldap (only plain and login mechs of course). Problem is, 
that saslauthd doesn't allow sendmail to use *-md5 mechs.

Anyway it's kind of frustating. I really would love an option for 
libsasl to produce some lines in my logs. Things like who called, asked 
for what, where it searched for what, and what it found there. And which 
plugins were used to do all that. Since SASL is a little hydra with so 
many ways to do and configure things, that would help a lot. In my 
personal opinion, I believe that's one of the reasons why people stick 
with weak, out of the box security, because doing it the right way 
drives them crazy or even worse, back to Redmond.

Sticking to PLAIN and LOGIN is simply inacceptible, since everybody who 
can catch a peace of mail.log (maybe from a backup) and understands 
base64 encoding receives all other user-credentials served for free. And 
SSL or TLS would not help to prevent this. Of course I could run a lower 
log_level than 29, but there are reasons to stay with it.

Sorry for that... It had to be said...

Sascha




More information about the Cyrus-sasl mailing list