On Mon, Aug 11, 2025 at 06:05:52PM -0600, James Feeney wrote:
> More complicated than that, though. I just have /etc/sasl2/smtpd.conf
> using "auxprop_plugin: sasldb", and sasldb only provides plaintext
> passwords. As emphasized at
> https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/sysadmin.html
> ----
> For simplicity sake, the Cyrus SASL library stores plaintext passwords
> only in the /etc/sasldb2 database. These passwords are then shared
> among all mechanisms which choose to use it.
Outdated threat model. DO NOT do this. Use a PAM backend with strong
password hashes.
> The princip[al] problem for a system administrator is to make sure that
> sasldb is properly protected; only the servers that need to read it to
> verify passwords should be able to. If there are any normal shell
> users on the system, they must not be able to read it.
See above.
> In my case, the client is gnome evolution mail, the server is postfix,
> and the database is sasldb2. I'm not sure what you mean by "with
> PLAIN the server stores only password hashes", so I'm curious how you
> achieved that. Otherwise PLAIN just uses plaintext passwords and is
> nothing special.
The PLAIN mechanism DOES NOT REQUIRE cleartext password storage, and
SHOULD be deployed with a backend that stores password hashes. If
you're storing cleartext passwords that human users select, you MUST
avoid mechanisms that require cleartext password storage and MUST
avoid unnecessary storage of cleartext passwords.
> On a related point, I later noticed that the mechanism list *must* be
> specified in *both* postfix at smtpd_sasl_mechanism_filter=
No, the Postfix filter is optional, if you're willing to tolerate whatever
mechanisms SASL offers, and with the Postfix filter set, it should be
possible to let SASL adverise whatever mechanisms it has available. You
should not have to set both. I've never done it.
> *and* at
> /etc/sasl2/smtpd.conf, mech_list:, where I was missing DIGEST-MD5.
> Including DIGEST-MD5 in /etc/sasl2/smtpd.conf, gnome evolution can use
> that too, and it works. Lots of details to track.
Don't use it. Use PLAIN with a hashed backend store.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
