PLAIN/LOGIN auth over SSL woes
What I currently have working:
Require CRAM-MD5 or DIGEST-MD5 authentication with or
without SSL.
What I want working:
Require CRAM-MD5 or DIGEST-MD5 authentication without SSL.
Additionally allow either LOGIN or PLAIN authentication
with SSL (but specifically forbid LOGIN or PLAIN without
SSL).
I've tried various combinations of config options but never
gotten what I want to work working. Below are relevant excerpts
from my Debian sarge config files:
/etc/mail/sendmail.mc
---------------------
define(`confTLS_SRV_OPTIONS', `V')
define(`confAUTH_REALM', `pauljlucas.org')
define(`confAUTH_MECHANISMS', `CRAM-MD5 DIGEST-MD5')
TRUST_AUTH_MECH(`CRAM-MD5 DIGEST-MD5')
ifelse(eval(sm_version_math >= 527360), `1', `dnl
define(`confAUTH_MECHANISMS',dnl
`EXTERNAL 'defn(`confAUTH_MECHANISMS'))dnl
TRUST_AUTH_MECH(`EXTERNAL')
)
define(`confAUTH_OPTIONS',`A p y')
/etc/mail/sasl/Sendmail.conf
----------------------
auto_transition: true
pwcheck_method: auxprop
auxprop_plugin: sasldb
allowanonymouslogin: 0
allowplaintext: 0
mech_list: EXTERNAL DIGEST-MD5 CRAM-MD5
/etc/default/saslauthd
----------------------
MECHANISMS="pam"
For what I have working, I apparently do NOT need to run
saslauthd since everything works just fine without it.
Questions:
1. If I want to allow either LOGIN or PLAIN, must I run
saslauthd? If so, is the "pam" mechanism in
/etc/default/saslauthd correct? If not, what should it be?
I'd actually prefer not to be running another daemon if I can
get away with it.
2. Do I need to add "LOGIN PLAIN" *everywhere* "CRAM-MD5 DIGEST-MD5"
are currently mentioned?
3. Is Sendmail.conf correct? If not, what needs to change?
Thanks.
- Paul
Reply to: