Patrick, Thanks for your reply. So if I have concluded correctly, the following configuration is the one which should bring together gssapi, plain and cram-md5 authentication mechanisms:
pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb But, you say that currently this does not work. True? What about ldapdb? I mean, is there actually anyway to achieve such a setup? Is it possible to use ldapdb in a way that eliminates the need to duplicate the credentials? Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter <p...@state-of-mind.de> > * Ali Majdzadeh <ali.majdza...@gmail.com>: > > Patrick, > > Hi > > Thanks for your mail. I use the following options in smtpd.conf: > > > > mech_list: gssapi plain > > pwcheck_method: saslauthd > > saslauthd_path: /var/run/saslauthd/mux > > keytab: /etc/krb5.keytab > > > > and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) > > mechanisms. How is it possible to add cram-md5 mechanism? > > Sorry, but no. saslauthd is unable to handle shared-secret mechanisms. You > could, theoretically, tell libsasl to query different pwcheck_methods like > this: > > pwcheck_method: saslauthd auxprop > mech_list: gssapi plain cram-md5 > saslauthd_path: /var/run/saslauthd/mux > keytab: /etc/krb5.keytab > auxprop_plugin: sasldb > > libsasl would first try verification using saslauthd and if that fails it > would turn to auxprop "sasldb". This backend COULD provide cram-md5, but > you > would have to provide credentials in your kerberos backend AND in sasldb, > which IMHO is a pain to support and somehow renders all the security > efforts > for GSSAPI and kerberos useless, because you store the same credentials in > plaintext in a local database file. > > > By the way, I do know about sasldb and auxprop, but what I plan to > achieve > > is to have cram-md5 mechanism while supporting plain mechanism using > > saslauthd, PAM and pam_krb5.so. I have got no problems using native > GSSAPI > > support. > > AFAIK this in not possible at the moment. > > p...@rick > > > > > > > Kind Regards > > Ali Majdzadeh Kohbanani > > > > 2009/11/11 Patrick Ben Koetter <p...@state-of-mind.de> > > > > > * Ali Majdzadeh <ali.majdza...@gmail.com>: > > > > Hello All > > > > Is it possible to have both PLAIN and CRAM-MD5 authentication > > > > mechanisms using SASL? > > > > > > Yes. The password must be stored as plaintext. Then plaintext and > > > shared-secret mechanisms will work. > > > > > > p...@rick > > > > > > -- > > > All technical questions asked privately will be automatically answered > on > > > the > > > list and archived for public access unless privacy is explicitely > required > > > and > > > justified. > > > > > > saslfinger (debugging SMTP AUTH): > > > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/> > > > > > -- > All technical questions asked privately will be automatically answered on > the > list and archived for public access unless privacy is explicitely required > and > justified. > > saslfinger (debugging SMTP AUTH): > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/> >