Patrick I have tested CRAM-MD5 with both "pwcheck_method:saslauthd" and "pwcheck_method:auxprop" in /etc/sasl2/Sendmail.config
Both work so your assertion about fallback appears to be correct and the readme is, at best, misleading! Certainly the case when using sendmail. If and when I switch to postfix I will post again. If you still want that I test gen-auth we will have to go through the loop, exchange public keys and verify each other. You can then send me the code in a verifiable and secure way. Thanks for your help. Charles Bradshaw On Tue, 15 Jan 2013 06:52:49 +0100, Patrick Ben Koetter wrote > > * Charles Bradshaw <b...@bradcan.homelinux.com>: > > I am considering switching my smptd from sendmail to postfix, but I am a > > little confused. > > > > The following snip from http://www.postfix.org/SASL_README.html > > > > " > > /etc/sasl2/smtpd.conf: > > pwcheck_method: saslauthd > > mech_list: PLAIN LOGIN > > > > Do not specify any other mechanisms in mech_list than PLAIN or LOGIN when > > using saslauthd! It can only handle these two mechanisms, and authentication > > will fail if clients are allowed to choose other mechanisms. > > " > > > > Appears to be wrong! I have the sasl2 configuration: > > > > /etc/sasl2/Sendmail.conf: > > pwcheck_method: saslauthd > > mech_list: DIGEST-MD5 PLAIN > > > > >> DEFINITELY WORKING << > > > > Admittedly, I am using sendmail and not postfix so perhaps I have a miss > > configuartion somewhere. The server in question is using /etc/salsdb with > > some > > test users NOT having accounts on the server and the debug dialogs clearly > > show that DIGEST-MD5 is being used. > > > > The above quote, cut and paste from the readme, contains a clear enough > > statement, except for the grammer, ie the word "other" missing between the > > words "mech_list" and "than". But: > > > > I'm confused because I have a solid, tested, working example which > > contradicts > > the postfix readme. > > > > Is the operation of Sendmail.conf somehow different to smtpd.conf? > > > > Further on the readme does say: > > > > /etc/sasl2/smtpd.conf: > > pwcheck_method: auxprop > > auxprop_plugin: sasldb > > mech_list: CRAM-MD5 PLAIN > > > > Which also works. > > This will work, because the auxprop mechanism 'sasldb' can handle plaintext > (PLAIN, LOGIN) and shared secret mechanisms (CRAM-MD5, DIGEST-MD5). > > > Is there a rational explanation or do I just put it down to a ghost in the > > machine? > > I am confused too, because I had it first hand from Alexey Melnikov, > who is one of the main developers of Cyrus SASL, and he told me all > saslauthd can handle are plaintext mechanisms aka PLAIN and LOGIN. > > Out of curiosity: Would you mind to download gen-auth > <http://jetmore.org/john/code/gen-auth>, make it executable and run > a CRAM-MD5 AUTH session against your Sendmail server? > > It would go along these lines: > > telnet YOURSERVER 25 > EHLO foo > ... > AUTH CRAM-MD5 > abcdefg0123456 > > The server then outputs a challenge (here: abcdefg0123456) string. > Use that string in gen-auth like this: > > ./gen-auth cram-md5 username password abcdefg0123456 > 6543210gfedcba > > gen-auth will return a respone string (here: 6543210gfedcba). Paste > that back into your telnet dialogue. If you get "Authentication > successful" then I will need to investigate further and I will > update the documentation. If not you just might have been lucky to > offer PLAIN as alternative, which clients either choose in the first > (the client chooses the SASL MECH) or fell back to once they had > failed attempting CRAM-MD5. > > p@rick > > -- > [*] sys4 AG > > http://sys4.de, +49 (89) 30 90 46 64 > Franziskanerstraße 15, 81669 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer > Aufsichtsratsvorsitzender: Joerg Heidrich > > Open WebMail Project (http://openwebmail.org) ------- End of Original Message -------
