* Charles Bradshaw <b...@bradcan.homelinux.com>: > I am considering switching my smptd from sendmail to postfix, but I am a > little confused. > > The following snip from http://www.postfix.org/SASL_README.html > > " > /etc/sasl2/smtpd.conf: > pwcheck_method: saslauthd > mech_list: PLAIN LOGIN > > Do not specify any other mechanisms in mech_list than PLAIN or LOGIN when > using saslauthd! It can only handle these two mechanisms, and authentication > will fail if clients are allowed to choose other mechanisms. > " > > Appears to be wrong! I have the sasl2 configuration: > > /etc/sasl2/Sendmail.conf: > pwcheck_method: saslauthd > mech_list: DIGEST-MD5 PLAIN > > >> DEFINITELY WORKING << > > Admittedly, I am using sendmail and not postfix so perhaps I have a miss > configuartion somewhere. The server in question is using /etc/salsdb with some > test users NOT having accounts on the server and the debug dialogs clearly > show that DIGEST-MD5 is being used. > > The above quote, cut and paste from the readme, contains a clear enough > statement, except for the grammer, ie the word "other" missing between the > words "mech_list" and "than". But: > > I'm confused because I have a solid, tested, working example which contradicts > the postfix readme. > > Is the operation of Sendmail.conf somehow different to smtpd.conf? > > Further on the readme does say: > > /etc/sasl2/smtpd.conf: > pwcheck_method: auxprop > auxprop_plugin: sasldb > mech_list: CRAM-MD5 PLAIN > > Which also works.
This will work, because the auxprop mechanism 'sasldb' can handle plaintext (PLAIN, LOGIN) and shared secret mechanisms (CRAM-MD5, DIGEST-MD5). > Is there a rational explanation or do I just put it down to a ghost in the > machine? I am confused too, because I had it first hand from Alexey Melnikov, who is one of the main developers of Cyrus SASL, and he told me all saslauthd can handle are plaintext mechanisms aka PLAIN and LOGIN. Out of curiosity: Would you mind to download gen-auth <http://jetmore.org/john/code/gen-auth>, make it executable and run a CRAM-MD5 AUTH session against your Sendmail server? It would go along these lines: telnet YOURSERVER 25 EHLO foo ... AUTH CRAM-MD5 abcdefg0123456 The server then outputs a challenge (here: abcdefg0123456) string. Use that string in gen-auth like this: ./gen-auth cram-md5 username password abcdefg0123456 6543210gfedcba gen-auth will return a respone string (here: 6543210gfedcba). Paste that back into your telnet dialogue. If you get "Authentication successful" then I will need to investigate further and I will update the documentation. If not you just might have been lucky to offer PLAIN as alternative, which clients either choose in the first (the client chooses the SASL MECH) or fell back to once they had failed attempting CRAM-MD5. p@rick -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
