On Mon, 20 Aug 2001, Amos Gouaux wrote:
> >>>>> On Sun, 19 Aug 2001 21:51:33 -0700,
> >>>>> David Wright <[EMAIL PROTECTED]> (dw) writes:
>
> dw> Cyrus-imapd (1.6.24) insists on advertising AUTH=CRAM-MD5, even
> dw> though this is a lie. This is (I think) one of the (many bad)
> dw> side-effects of SASL -- because of SASL cyrus advertises this AUTH,
> dw> but in fact my sasldb is utterly empty (all authentication is via
> dw> PAM) and so any client that takes cyrus up on the offer gets told
> dw> the user doesn't exist.
>
> dw> So... how can I get cyrus to stop advertising AUTH=CRAM-MD5?
>
> Configure cyrus-sasl accordingly. Use the various --disable-*
> options to configure. See --help for details.
>
>
You don't need to recompile, just remove the crammd5 mech pluging
from the pluging directory (/usr/lib/sasl on my system). I had the
same problem with GSSAPI (Pine starts complaining for the lack of kerberos
setup on the client - then it falls back to CRAM-MD5, but if CRAM-MD5
fails, it doesn't try PLAIN).
I think the client should try different mechs if the preferred one fails,
since a certain mech can be unavailable to some users, but the users can
be authenticated by means of a different mech. It is true that some
clients (or some servers, like sendmail) can be configured to require
secure authentication, and thus they refuse to fallback to PLAIN. If
this is your case, the only way to enable PLAIN is to have the client
use setup a SSL/TLS connection before authentication. Sendmail offers
PLAIN only *after* a successful STARTTLS.
.TM.
--
____/ ____/ /
/ / / Marco Colombo
___/ ___ / / Technical Manager
/ / / ESI s.r.l.
_____/ _____/ _/ [EMAIL PROTECTED]
