Re: sendmail/SMTP-AUTH/PAM Solution!!!

To: "Jeff Wiegley, PhD" <jeffw@cyte.com>
Cc: debian-user@lists.debian.org
Subject: Re: sendmail/SMTP-AUTH/PAM Solution!!!
From: Todd Pytel <tppytel@sophrosune.org>
Date: Wed, 23 Jul 2003 14:10:31 -0500
Message-id: <[🔎] 20030723141031.27bb0718.tppytel@sophrosune.org>
In-reply-to: <[🔎] 1058980061.1126.95.camel@mail>
References: <20030722023011.1cd45606.tppytel@sophrosune.org> <[🔎] 1058980061.1126.95.camel@mail>

On 23 Jul 2003 10:07:41 -0700
"Jeff Wiegley, PhD" <jeffw@cyte.com> wrote:

> Todd,
> 
>     I hope you don't mind but I'm copying your last message
> sent to me to the users lists because it did result in a
> solution. and its so simple that I want a permanent record
> of it in a searchable location.

Sure, no problem.  See below for some addenda, though.

> <snip>
> 
> Oh here's a good one for you... Why I **REALLY** don't
> want to use the sasl2 database... umm /etc/sasldb2
> stores passwords IN CLEARTEXT!!! so if somebody hacks
> the box they instantly know all my passwords. This is
> just stupid.
> A quote from the sasl docs:
> 
>    "For simplicity sake, the Cyrus SASL library stores
>     plaintext passwords only in the /etc/sasldb2
>     database."
> 
> Umm. What bright idiot though that the best route to
> implement something secure was the "simple" way??
> At least with plain/login I can keep shadow secret's
> hashed and I can accept only pops and imaps to prevent
> passwords from being communicated in plaintext.
>
> <snip>

If somebody out there knows SASL better than I do, I would also like to
understand the motivation for this change in behavior (passwords were
hashed in SASLv1, but not in SASLv2). It would appear that SASL, being a
crypto package, should be able to implement some kind of hash, even if
only a simple one, for its password database regardless of the platform.
But the SASL people are obviously not stupid, so I expect there must be
something I'm missing.  

Also, since this is being preserved for posterity, I should add two
more significant points.

1) SSL/TLS are not "end-to-end encryption" methods as I erroneously
stated.

2) The per-service SASL config files (like Sendmail.conf.2) can have
some further variability to keep you on your toes.  Sendmail follows
the standard, so the following doesn't change what I wrote.  But
should somebody be using that info for other SASL-capable apps, there
are a couple more hangups.

The canonical location for per-service config files is
/usr/lib/sasl2 (Debian symlinks from there to /etc/mail/sasl for
Sendmail), but that location is not strictly enforced. Apps are free to
read their SASL config from elsewhere if they desire. Cyrus IMAP, on BSD
at least (haven't checked out Debian's version), reads its SASL config
from /etc/imapd.conf. So you have to check the app's docs to figure out
where the file should live. Furthermore, since the file is parsed by the
app and not by a SASL component per se, the syntax can differ from I
outlined in the post. Taking Cyrus again, it's config file *does* use
sasl_pwcheck_method, even though I said that option is obsolete.  How?
Because Cyrus handles the parsing and strips the leading "sasl_" part
when it hands off the info. So really, it is using just "pwcheck_method"
as I described, but it doesn't look like it at first. This also means
that options pertaining to SASL can be mixed in with other non-SASL
options, since the app chooses which parts to hand off.

Ah, what fun...
Todd

Reply to:

References:
- Re: sendmail/SMTP-AUTH/PAM Solution!!!
  - From: "Jeff Wiegley, PhD" <jeffw@cyte.com>

Prev by Date: Re: Important!
Next by Date: Re: Replying by email to the newsfeed
Previous by thread: Re: sendmail/SMTP-AUTH/PAM Solution!!!
Next by thread: Empty package to facilitate upgrades, can be safely removed. Really?
Index(es):
- Date
- Thread