Benachrichtung zum Übermittlungsstatus (Fehlgeschlagen)
dwhite at olp.net
Sun Jul 4 01:57:32 EDT 2010
On 04/07/10 00:29 -0300, D G Teed wrote:
>2010/7/2 Dan White <dwhite at olp.net>
>> Cyrus imap will offer all available and initializable SASL
>> authentication plugins it can find (see pluginviewer for that list). In
>> the case where you have a plugin installed that you don't wish to offer,
>> you can restrict the list of mechanisms with the sasl_mech_list option.
>> If you're depending on saslauthd for authentication, you shouldn't be
>> offering anything other than plain and login:
>> sasl_mech_list: PLAIN LOGIN
>Right, I had more in my list. And since I didn't have the cyrus-sasl-md5
>package before, the mentioning of MD5 mech types in the sasl_mech_list
>I have read some comments that suggest the MD5 mech options only work with
>sasl_pwcheck_method of auxprop, and won't work with pam via saslauthd. Is
>that true? That seems to be what you are saying as well. If not the
>case, I don't understand what would have been needed to enable the MD5
>types of auth mechanism. Any pointers to where the MD5 types of mech are
>documented for configuration?
See doc/components.html and doc/sysadmin.html within the Cyrus SASL source.
The sasl_pwcheck_method is not, and cannot be, used for CRAM-MD5 or
DIGEST-MD5. It's only appropriate for mechanisms which receive a password
from the client. For imapd, that would be the PLAIN and LOGIN mechanisms,
and the pre-sasl login command.
Cyrus SASL requires that shared secrets be stored within an auxprop store,
such as sasldb. Regardless of what your sasl_pwcheck_method configuration
is, sasl will always use your auxprop plugin(s) to service the DIGEST-MD5
plugin. To use DIGEST-MD5, you could use saslpasswd2 to store user
credentials within /etc/sasldb2.
saslauthd, and pam, cannot perform the required handshaking that DIGEST-MD5
requires, since the neither have knowledge of what the shared secret
>For some reason, IMAP connections using TLS were not impacted by the
>change. I'm not sure of all of the ways it was broken because I wanted to
>get the service back up ASAP, but I do know Horde webmail was unable to
>connect using IMAP and notls.
More than likely you were dealing with clients that failed the DIGEST-MD5
authentication and then fell back to PLAIN or pre-sasl login.
If 'allowplaintext' is disabled in your imapd.conf, then PLAIN, LOGIN, and
pre-sasl login can only be achieved in the presence of TLS or some other
encryption. 'allowplaintext: 0' will prevent a clear text password from
being sniffed over the wire.
More information about the Info-cyrus