only cleartext in sasldb?

Sarah Walters s.walters at
Wed Sep 27 20:01:41 EDT 2006


> -----Original Message-----
> it seems that sasldb stores all password in cleartext. Is it 
> possible to 
> use md5 or crypt as in /etc/passwd?

No, it's not. The entire point is to enable using CRAM-MD5 and other
such mechanisms which require access to the plain-text password. The
advantage of this is that you can login without TLS/SSL if you have to.

I'll admit that it can be irritating, but that file should only be
readable by the cyrus user and the password should only be used for
cyrus anyway. So it doesn't matter - if someone can get read access
to that file with permissions set correctly (owner cyrus, permissions 
set to 700), then they can get into cyrus so your system is compromised
anyway. So who cares?

Make sure that NOTHING else can access that file. Obviously you'll
need to be user cyrus or user root to change any passwords in that
file so don't use it for anything other than admin accounts (or write
a GOOD wrapper that is setuid to user cyrus around the sasldb access
programs if you have to give more people access).

Sarah Walters

More information about the Info-cyrus mailing list