Subject: Re: sasl and --disable-login
To: Andrew Brown <>
From: Johnny C. Lam <>
List: tech-pkg
Date: 03/16/2003 09:59:16
On Fri, Mar 14, 2003 at 04:57:25PM -0500, Andrew Brown wrote:
> i note, with trepidation, that the cyrus-sasl packages are configured
> with --disable-login.  while i understand that the login protocol is
> alomost completely worthless from a security standpoint, it is however
> the only means that programs like outlook will use to authenticate to
> an smtp server that offers authentication (eg the postfix package).
> maybe i should just enable the login method...

My memory about Cyrus SASL is a bit fuzzy, but I that if the LOGIN
authentication plugin is installed, then when the SASL negotiation step
occurs to discover a common authentication mechanism, the server doesn't
advertise that it can do LOGIN, but it will accept it if the client asks
for it explicitly.  To me, this sounds like security through obscurity.
Also from what I remember about Cyrus SASL, there is no global
configuration file to specify which authentication mechanisms are allowed
or disallowed; it's merely a matter of which plugins are available in
${PREFIX}/lib/sasl.  I think we can just build the LOGIN plugin separately
from the rest of Cyrus SASL in another package, e.g. cy-login or
cyrus-sasl-login, so that normal users of SASL aren't hobbled by a bad
authentication mechanism while users that need it can just install a
separate package for the extra functionality.


	-- Johnny Lam <>