Re: Client Trouble with SASL AUTH

Sun, 21 Sep 2008 07:51:41 -0700 

Patrick Ben Koetter wrote:

* Drew Tomlinson <[EMAIL PROTECTED]>:
Thank you both so much for your help. This was the problem - well, part of it anyway. After setting the above, I could see that authentication was failing. I could also see that Postfix was choosing CRAM-MD5. I knew from prior testing that method failed interactively as well. Thus I set "smtp_sasl_mechanism_filter = !CRAM-MD5". Then I started getting errors about "...no available mech...". Next I found smtp_sasl_security_options included "noplaintext" and "noanonymous" by default. Thus I set it to "noanonymous" to allow plaintext. I still got the "...no available mech..." message. Well I knew from prior testing that PLAIN did work, thus I set "smtp_sasl_mechanism_filter = PLAIN". SUCCESS!!! 


But for my own curiosity, why did not Postfix find PLAIN on its own?   
Why did I have to set it specifically?  I would have thought that  
setting !CRAM-MD5 would have been enough.
    


Choosing the mechanism is not done by Postfix, but by the Cyrus SASL library
libsasl, linked into the Postfix smtp client.

The rationale is "go for the most secure mechanism". PLAIN is, left on its
own, far less secure than CRAM-MD5; plain is secure only used in conjunction
with a TLS shielded connection.

And then there are the default settings of Postfix' smtp_sasl_security_options
and they forbid usage of insecure plaintext mechanisms unless you override the
default.

  


Thank you for your explanation.


So in a sum, if a server offers SMTP AUTH, the following happens:

1. Server offers AUTH
2. Postfix smtp client ignores it because of smtp_sasl_security_options default
3. You change smtp_sasl_security_options to allow plaintext
4. Server offers AUTH
5. Postfix hands it down as option to libsasl
6. libsasl prefers CRAM-MD5 over PLAIN
7. you set smtp_sasl_mechanism_filter = !CRAM-MD5 to have Postfix filter
   CRAM-MD5 away and not have libsasl see this option

  



When I did this, I got an error about "...no available mech...". 


8. libsasl see's only PLAIN
9. PLAIN is choosen and authentication takes place

  



This is what I expected to happen but it didn't.  I had to specifically 
set "smtp_sasl_mechanism_filter = PLAIN" to make it work.  Now I wonder why?


Thanks,

Drew

--
Be a Great Magician!
Visit The Alchemist's Warehouse

http://www.alchemistswarehouse.com























					Reply via email to