Re: saslauth configuration question

Mon, 14 Jan 2013 21:53:50 -0800 

* Charles Bradshaw <[email protected]>:
> I am considering switching my smptd from sendmail to postfix, but I am a
> little confused.
> 
> The following snip from http://www.postfix.org/SASL_README.html
> 
> "
> /etc/sasl2/smtpd.conf:
>     pwcheck_method: saslauthd
>     mech_list: PLAIN LOGIN
> 
> Do not specify any other mechanisms in mech_list than PLAIN or LOGIN when
> using saslauthd! It can only handle these two mechanisms, and authentication
> will fail if clients are allowed to choose other mechanisms.
> "
> 
> Appears to be wrong! I have the sasl2 configuration:
> 
> /etc/sasl2/Sendmail.conf:
>     pwcheck_method: saslauthd
>     mech_list: DIGEST-MD5 PLAIN


It works! And on second thought I am even able to explain why. ;)

Cyrus SASL can use multiple backends, which are rarely used or discussed on
the Postfix mailing list. Here's an example that illustrates your setup:

/etc/sasl2/$applicationname.conf:
    pwcheck_method: saslauthd auxprop
    mech_list: DIGEST-MD5 PLAIN
    auxprop_plugin: sasldb

Note the two entries at $pwcheck_method? The parameter specifies two (!)
backends which are consulted in order listed. 

But you haven't and why would that work too?

There's a fallback mechanism in Cyrus SASL that makes it always (!) call
sasldb, if a) no authentication backend was specified and/or b) a mechanism
was asked which cannot be handled by the backends specified.

In your case b) is true. Clients choose DIGEST-MD5, libsasl finds out saslauthd
can't handle shared-secret mechs, it looks for another backend in the
$pwcheck_method list, it can't find another, it falls back to sasldb and
BINGO, it works.

If that's what you want, stick with it in your upcoming Postfix setup. You
_could_ get the same results with SQL or LDAP as auxprop_plugin, but there's
certainly a reason you when for SASLDB in the first.

p@rick

-- 
[*] sys4 AG
 
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

Reply via email to