2 cyrus-sasl questions
Jan Parcel
jan.parcel at oracle.com
Thu Feb 19 16:27:24 EST 2015
On 02/19/15 12:13 PM, Dan White wrote:
> On 02/19/15 11:38 -0800, Jan Parcel wrote:
>> 1. Is there a scram sha-1 plugin by CMU ? If not, is there another
>> one with a BSD-style licence
>> that is recommended?
>
> The SCRAM mechanism was added in the 2.1.25 release.
So scram is the same as scram-sha1 ? I see a lot of ifs in scram.c
>
>> 2. What is the best and most-secure way to use sendmail with sasl on
>> *nix to connect to AD
>> *without* keeping passwords in the clear? ("best" includes ease
>> of administration.....)
>
> Between the sendmail server and the AD server, GSSAPI would be the
> obvious
> choice.
>
> If you need to support relay authentication from SMTP clients to the AD
> server, GSSAPI is not a viable choice since many SMTP clients don't
> support
> it.
>
> Your other option (for relayed authentication) is to perform PLAIN
> over TLS
> between the client and the sendmail server, which in turn performs
> DIGEST-MD5 over TLS over LDAP to the AD server, which would protect the
> password in transit over both legs of the network.
>
Thanks! And that keeps nothing in the clear?
More information about the Cyrus-sasl
mailing list