On 2024-12-21 14:54, Michael Tokarev via Postfix-users wrote: > > cleartext password (storage) is required for many SASL mechanisms over > than PLAIN. And none of these mechanisms work with -a pam or with [...] > However, there are other mechanisms being developed, for example OAUTH2,
What's worth mentioning is that PLAIN/LOGIN also requires cleartext password storage - on the client side. > I'm not sure I understand the "LDAP service as a password oracle" choice, - > who does the SASL verification in there? For LDAP backend there are two possible authentication flows: 1. LDAP server _binding_ directly with user-provided credentials - if that succeed, then the user is authenticated, 2. binding to LDAP server with SASL-provider credentials (or anonymously) and then _querying_ for a user with provided credentials. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
