saslauth configuration question

Dan White dwhite at olp.net
Mon Jan 14 15:07:33 EST 2013 

On 01/14/13 19:39 +0000, Charles Bradshaw wrote:
>I am considering switching my smptd from sendmail to postfix, but I am a
>little confused.
>
>The following snip from http://www.postfix.org/SASL_README.html
>
>"
>/etc/sasl2/smtpd.conf:
>    pwcheck_method: saslauthd
>    mech_list: PLAIN LOGIN
>
>Do not specify any other mechanisms in mech_list than PLAIN or LOGIN when
>using saslauthd! It can only handle these two mechanisms, and authentication
>will fail if clients are allowed to choose other mechanisms.
>"
>
>Appears to be wrong! I have the sasl2 configuration:
>
>/etc/sasl2/Sendmail.conf:
>    pwcheck_method: saslauthd
>    mech_list: DIGEST-MD5 PLAIN
>
>>> DEFINITELY WORKING <<
>
>Admittedly, I am using sendmail and not postfix so perhaps I have a miss
>configuartion somewhere. The server in question is using /etc/salsdb with some
>test users NOT having accounts on the server and the debug dialogs clearly
>show that DIGEST-MD5 is being used.
>
>The above quote, cut and paste from the readme, contains a clear enough
>statement, except for the grammer, ie the word "other" missing  between the
>words "mech_list" and "than". But:
>
>I'm confused because I have a solid, tested, working example which contradicts
>the postfix readme.
>
>Is the operation of Sendmail.conf somehow different to smtpd.conf?
>
>Further on the readme does say:
>
>/etc/sasl2/smtpd.conf:
>    pwcheck_method: auxprop
>    auxprop_plugin: sasldb
>    mech_list: CRAM-MD5 PLAIN
>
>Which also works.
>
>Is there a rational explanation or do I just put it down to a ghost in the
>machine?

What saslauthd backend are you using?

Typically saslauthd is not used when you store users in sasldb. It can be
used with sasldb if compiled to do so, and chosen with '-a sasldb'. If your
users are stored within sasldb, you should be doing 'pwcheck_method:
auxprop', instead of running saslauthd, to save yourself some overhead.

pwcheck_method only affects PLAIN and LOGIN authentications. shared-secret
mechanisms such as DIGEST-MD5 will use your auxprop configuration (such as
sasldb) to authenticate the user.

For an overview, see:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/components.php

-- 
Dan White

More information about the Cyrus-sasl mailing list