Enabling cyrus-sasl for gssapi

Dan White dwhite at olp.net
Fri Dec 15 12:36:33 EST 2017


On 12/15/17 12:21 -0500, Mark Foley wrote:
>Yes, that's the exact page I've been consulting.
>
>This site: http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cyrus-sasl.html
>further advises downloading and applying *REQUIRED* patches:
>
>cyrus-sasl-2.1.26-fixes-3.patch
>cyrus-sasl-2.1.26-openssl-1.1.0-1.patch

I haven't reviewed the patches, but it's probably a good idea to used them,
unless you're using a 2.1.27 prerelease, or you could download the
source+patches for your base system (e.g. Debian or Redhat).

>Finally, if you've read this far! You wrote in a previous message:
>
>> I would personally not use saslauthd in the above manner [authenticating with
>> sendmail].  If you have a controlled environment where your clients
>> (Thunderbird) are known to support GSSAPI negotiation over the network, then
>> configuring Sendmail to support GSSAPI directly is secure and recommended.
>
>The "configuring Sendmail to support GSSAPI directly" is the bit that got my
>attention.  To clarify, in order to do Sendmail and GSSAPI directly I *do* need
>SASL, but *do not* need saslauthd, right?

Yes, that's correct. You'd configure Sendmail to use the GSSAPI
authentication plugin, but not PLAIN or LOGIN, which would make saslauthd
irrelevant.


More information about the Cyrus-sasl mailing list