Subject: sasl2 + postfix2 problems and questions
To: None <firstname.lastname@example.org>
From: Amadeus <email@example.com>
Date: 06/30/2004 16:02:40
I'm running an internal mail server under netbsd 1.6.2 and have some gripes
and questions! It's been about a week I've been testing this out, so this
is a resume of all that.
I've recently tried experimenting with SASL in order to get SMTP
The whole idea is for internal (LAN) email, but with SMTP authentication to
make sure there is no spoofing (this is for a High school).
Postfix that ships with NetBSD (1.6.2) works fine, but I'm using a fairly
uptodate pkgsrc to compile postfix with sasl support.
I want to use the shadow mechanism for simplicity, but don't want send
passwords sent in the clear susceptable to sniffing, so if I understand
correctly, not use PLAIN or LOGIN but cram-md5 or digest-md5, althought to
be honest I'm a little confused and don't know if this is a possible
combination: shadow + DIGEST-md5 - or PLAIN LOGIN under TLS (too
I compiled cryus-sasl2 and cryus-sasldauth from pkgsrc.
I compile postfix2 with USE_SASL2=YES from pkgsrc.
running saslauthd -V:
authentication mechanisms: getpwent rimap
(why isn't shadow shown?)
(why doesn't specifying: shadow work?)
smtpd_sasl_auth_enable = yes
reject # only authenticated users
broken_sasl_auth_clients = yes
I spent a long time messing with cyrus2, notably saslauthd_flags in rc.conf
toget this to work manually with PLAIN AUTH.
Unfortunately Outlook Express 6 can't seem to use any of the auth
mechanisms postfix advertises:
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
And just fails to send a message.
I recompiled cyrus-sasl2 with AUTH LOGIN supported in a last attempt, as I
read that Outlook Express 5 needs this.
250-AUTH LOGIN PLAIN OTP DIGEST-MD5 CRAM-MD5
And now Outlook Express 6 works.
Is this a limit to Outlook Express? Will I never get secure password
authentication without using a TLS?
TLS seems complicated, but it appears it is the only choice in this case.
I am right?
Any comments are warmly welcome.
SDF Public Access UNIX System - http://sdf.lonestar.org
Please do not carbon copy replies to me