Enabling cyrus-sasl for gssapi
Dan White
dwhite at olp.net
Fri Dec 15 12:36:33 EST 2017
On 12/15/17 12:21 -0500, Mark Foley wrote:
>Yes, that's the exact page I've been consulting.
>
>This site: http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cyrus-sasl.html
>further advises downloading and applying *REQUIRED* patches:
>
>cyrus-sasl-2.1.26-fixes-3.patch
>cyrus-sasl-2.1.26-openssl-1.1.0-1.patch
I haven't reviewed the patches, but it's probably a good idea to used them,
unless you're using a 2.1.27 prerelease, or you could download the
source+patches for your base system (e.g. Debian or Redhat).
>Finally, if you've read this far! You wrote in a previous message:
>
>> I would personally not use saslauthd in the above manner [authenticating with
>> sendmail]. If you have a controlled environment where your clients
>> (Thunderbird) are known to support GSSAPI negotiation over the network, then
>> configuring Sendmail to support GSSAPI directly is secure and recommended.
>
>The "configuring Sendmail to support GSSAPI directly" is the bit that got my
>attention. To clarify, in order to do Sendmail and GSSAPI directly I *do* need
>SASL, but *do not* need saslauthd, right?
Yes, that's correct. You'd configure Sendmail to use the GSSAPI
authentication plugin, but not PLAIN or LOGIN, which would make saslauthd
irrelevant.
More information about the Cyrus-sasl
mailing list