netbsd-users: sasl2 + postfix2 problems and questions

Subject: sasl2 + postfix2 problems and questions
To: None <netbsd-users@netbsd.org>
From: Amadeus <poff@sixbit.org>
List: netbsd-users
Date: 06/30/2004 16:02:40
Hello All,

I'm running an internal mail server under netbsd 1.6.2 and have some gripes 
and questions! It's been about a week I've been testing this out, so this 
is a resume of all that.

I've recently tried experimenting with SASL in order to get SMTP 
authentication.

The whole idea is for internal (LAN) email, but with SMTP authentication to 
make sure there is no spoofing (this is for a High school).

Postfix that ships with NetBSD (1.6.2) works fine, but I'm using a fairly 
uptodate pkgsrc to compile postfix with sasl support.

I want to use the shadow mechanism for simplicity, but don't want send 
passwords sent in the clear susceptable to sniffing, so if I understand 
correctly, not use PLAIN or LOGIN but cram-md5 or digest-md5, althought to 
be honest I'm a little confused and don't know if this is a possible 
combination: shadow + DIGEST-md5 - or PLAIN LOGIN under TLS (too 
complicated!).

I compiled cryus-sasl2 and cryus-sasldauth from pkgsrc.

I compile postfix2 with USE_SASL2=YES from pkgsrc.

running saslauthd -V:

authentication mechanisms: getpwent rimap

(why isn't shadow shown?)

rc.conf:

postfix=YES
saslauthd=YES
saslauthd_flags='-a getpwent'

smtpd.conf:

pwcheck_method:saslauthd

(why doesn't specifying: shadow work?)

main.cf:

smtpd_sasl_auth_enable = yes
smtpd_client_restrictions =
  permit_sasl_authenticated
  reject # only authenticated users
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

I spent a long time messing with cyrus2, notably saslauthd_flags in rc.conf 
toget this to work manually with PLAIN AUTH.

Unfortunately Outlook Express 6 can't seem to use any of the auth 
mechanisms postfix advertises:

250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5

And just fails to send a message.

I recompiled cyrus-sasl2 with AUTH LOGIN supported in a last attempt, as I 
read that Outlook Express 5 needs this.

250-AUTH LOGIN PLAIN OTP DIGEST-MD5 CRAM-MD5

And now Outlook Express 6 works.

Is this a limit to Outlook Express? Will I never get secure password 
authentication without using a TLS?

TLS seems complicated,  but it appears it is the only choice in this case. 
I am right?

Any comments are warmly welcome.

Amadeus

 -- 
poff@sixbit.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Please do not carbon copy replies to me