On 02/05/16 13:44 -0800, Jan Parcel via Cyrus-devel wrote:
On 02/05/2016 01:41 PM, Carson Gaspar via Cyrus-devel wrote:
On 2/4/16 6:24 PM, Jan Parcel via Cyrus-devel wrote:
I think there MUST be a way to use libsasl with smtp without storing
passwords in the clear, and ESPECIALLY not on each local system, but
nowhere in the docs is an example for how to do so.
This used to be possible using DIGEST-MD5, where the server stores
MD5(username:realm:password) instead of the plaintext password. This
is still a password equivalent, but only for the same realm (where
you can define the realm as a single host, or service, or company,
or...).
Sadly, Cyrus SASL removed support for this long ago, and now
requires the plaintext password be stored for anything other than
auth methods that send the password in the clear. Nobody ever
explained what the reasoning was for this change, and it still makes
me sad.
Well, since md5 is now considered weak, that does not appear to be a loss.
So, I want PLAIN, saslauthd, somehow hooked into ldap, without any
auxprop plugins?
And use tls or whatever is available on the system for transit privacy?
There is a flexible ldap backend to saslauthd. See saslauthd/LDAP_SASLAUTHD
in the source code for documentation.
Another approach is to use the pam backend, and use a pam ldap module to
handle authentication, which makes since if you're already using one for
other authentication systems.
--
Dan White
