* Ali Majdzadeh <ali.majdza...@gmail.com>: > Patrick, > Hi > Thanks for your mail. I use the following options in smtpd.conf: > > mech_list: gssapi plain > pwcheck_method: saslauthd > saslauthd_path: /var/run/saslauthd/mux > keytab: /etc/krb5.keytab > > and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) > mechanisms. How is it possible to add cram-md5 mechanism?
Sorry, but no. saslauthd is unable to handle shared-secret mechanisms. You could, theoretically, tell libsasl to query different pwcheck_methods like this: pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb libsasl would first try verification using saslauthd and if that fails it would turn to auxprop "sasldb". This backend COULD provide cram-md5, but you would have to provide credentials in your kerberos backend AND in sasldb, which IMHO is a pain to support and somehow renders all the security efforts for GSSAPI and kerberos useless, because you store the same credentials in plaintext in a local database file. > By the way, I do know about sasldb and auxprop, but what I plan to achieve > is to have cram-md5 mechanism while supporting plain mechanism using > saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI > support. AFAIK this in not possible at the moment. p...@rick > > Kind Regards > Ali Majdzadeh Kohbanani > > 2009/11/11 Patrick Ben Koetter <p...@state-of-mind.de> > > > * Ali Majdzadeh <ali.majdza...@gmail.com>: > > > Hello All > > > Is it possible to have both PLAIN and CRAM-MD5 authentication > > > mechanisms using SASL? > > > > Yes. The password must be stored as plaintext. Then plaintext and > > shared-secret mechanisms will work. > > > > p...@rick > > > > -- > > All technical questions asked privately will be automatically answered on > > the > > list and archived for public access unless privacy is explicitely required > > and > > justified. > > > > saslfinger (debugging SMTP AUTH): > > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/> > > -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
