2 cyrus-sasl questions

Jan Parcel jan.parcel at oracle.com
Thu Feb 19 16:27:24 EST 2015


On 02/19/15 12:13 PM, Dan White wrote:
> On 02/19/15 11:38 -0800, Jan Parcel wrote:
>> 1.  Is there a scram sha-1 plugin by CMU ?  If not, is there another 
>> one with a BSD-style licence
>>     that is recommended?
>
> The SCRAM mechanism was added in the 2.1.25 release.
So scram is the same as scram-sha1 ?  I see a lot of ifs in scram.c

>
>> 2.  What is the best and most-secure way to use sendmail with sasl on 
>> *nix to connect to AD
>>     *without* keeping passwords in the clear?  ("best" includes ease 
>> of administration.....)
>
> Between the sendmail server and the AD server, GSSAPI would be the 
> obvious
> choice.
>
> If you need to support relay authentication from SMTP clients to the AD
> server, GSSAPI is not a viable choice since many SMTP clients don't 
> support
> it.
>
> Your other option (for relayed authentication) is to perform PLAIN 
> over TLS
> between the client and the sendmail server, which in turn performs
> DIGEST-MD5 over TLS over LDAP to the AD server, which would protect the
> password in transit over both legs of the network.
>
Thanks!  And that keeps nothing in the clear?


More information about the Cyrus-sasl mailing list