> Then the problem is really that debian's postfix packages don't include
> postfix's SMTP AUTH/sasl patch, right? I've done a lot of postfix builds
> in the past and they're really nothing to be afraid of. Even on the
> machines where I run debian, I still build postfix from source to gain
> access to things like LDAP and the latest versions.
No, Debian's cyrus-sasl doesn't include the patch to lookup encrypted
passwords in sql. This means I have to build cyrus-sasl from source and
everything that depends on it, cyrus-imapd, postfix, anything else?
It also mans I have to build a 'dummy' MTA package so I can remove
Debian's postfix package without wrecking my system.
I guess I could use pam. SMTP AUTH would look like:
postfix -> sasl -> saslauthd -> pam -> mysql
And cyrus-imap would do the same:
imap -> sasl -> saslauthd -> pam -> mysql
> What if a user gains access to your database? Furthermore, what would be
> the point of having them stored in plain text? Might as well encrypt them
> then.
Having encrypted passwords is part of the problem, in addition the fact
that there are many different encryption schemes. My users already have a
mix of crypt and md5crypt passwords. Still need a way to rectify this.
Stil might be handy to temorarily collect usernames and a clear text
passwords, then store them encrypted in mysql.
Oh man, I am almost ready to toss the idea of a 'sealed' mail server
alltogether. Instead keep unix accounts, shadow passwords and lock down
the box so mail users do not have shell access....
Adi
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
