sasl_pwcheck_method
Greg A. Woods
woods-cyrus at weird.com
Tue Jun 9 21:32:35 EDT 2009
At Tue, 09 Jun 2009 01:19:49 +0200, lists at oliver-block.eu wrote:
Subject: Re: Re: sasl_pwcheck_method
>
> Dan White schrieb:
> > When authenticating via CRAM-MD5, the pwcheck_method will be ignored.
> > Your chosen pwcheck_method should only be referenced when
> > authenticating
> > via a 'plaintext' authentication mechanism - LOGIN or PLAIN.
>
> Good to know. I must have omitted this part of the manual.:-)
>
>
> > The fact
> > that mtest attempted to authenticate via CRAM-MD5 probably means that
> > you are advertising CRAM-MD5 support within imapd.conf.
>
> Actually cyrus seems to do that by his own!? Adding sasl_mech_list: PLAIN LOGIN to imapd.conf stops advertising it.
I've had the following in my template imapd.conf file for years now:
# Use these SASL authentication mechanisms.
#
# Don't use CRAM-MD5 or DIGEST-MD5 if you don't have a local sasldb
# and you start saslauthd with "-a getpwent"
#
# Don't use OTP or ANONYMOUS unless you really need them -- it causes some
# clients to prefer it, such as "cyradm".
#
# Don't put PLAIN before LOGIN -- it buggers Mozilla.
#
sasl_mech_list: LOGIN PLAIN
I'm not sure why Mozilla was confused, or whether current versions would
still be confused, but suffice it to say that no current clients I've
encountered in relatively large user populations have had problems with
the order being "LOGIN PLAIN".
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods at robohack.ca>
Planix, Inc. <woods at planix.com> Secrets of the Weird <woods at weird.com>
More information about the Info-cyrus
mailing list