2 cyrus-sasl questions

Dan White dwhite at olp.net
Thu Feb 19 15:13:25 EST 2015


On 02/19/15 11:38 -0800, Jan Parcel wrote:
>1.  Is there a scram sha-1 plugin by CMU ?  If not, is there another 
>one with a BSD-style licence
>     that is recommended?

The SCRAM mechanism was added in the 2.1.25 release.

>2.  What is the best and most-secure way to use sendmail with sasl on 
>*nix to connect to AD
>     *without* keeping passwords in the clear?  ("best" includes ease 
>of administration.....)

Between the sendmail server and the AD server, GSSAPI would be the obvious
choice.

If you need to support relay authentication from SMTP clients to the AD
server, GSSAPI is not a viable choice since many SMTP clients don't support
it.

Your other option (for relayed authentication) is to perform PLAIN over TLS
between the client and the sendmail server, which in turn performs
DIGEST-MD5 over TLS over LDAP to the AD server, which would protect the
password in transit over both legs of the network.

-- 
Dan White


More information about the Cyrus-sasl mailing list