Re: [Exim] Support for TLS/SSL

Top Page
Delete this message
Reply to this message
Author: patl
Date:  
To: Philip Hazel
CC: exim-users
Subject: Re: [Exim] Support for TLS/SSL
On 11-Sep-00 at 02:05, Philip Hazel (ph10@???) wrote:
> > Is it worth considering replacing the native support with the
> > Cyrus library for increased compatability?
>
> It is too late to replace it, because plenty of people have deployed in
> already.


Replacing the implementation wouldn't necessarily cause
incompatibilities at the user level.

> As I know nothing about the interface to the Cyrus library, I don't know
> how easy/hard it would be to make use of it within the current way that
> Exim works.


I'm not familiar enough with either to be much help. (I really
wish that I had the free cycles to look into this; but even if
someone wanted to pay me for it I wouldn't be able to start the
project for at least another month or two.)

> > I'm not very familiar with exactly what all is available in the
> > PAM interface; but the traffic on the cyrus-sasl mailing list
> > implies that the sasl library must directly support the sasldb
> > and Kerberos alongside PAM instead of making them PAM modules
> > because PAM does not (sufficiently?) support multiple realms.
>
> I don't grok "realms", I'm afraid, being very much a novice at all this
> stuff.


I doubt that I'm very far ahead of you on that. (And definately
behind on whatever details of SMTP AUTH you've already dealt with.)

As I understand it they abstract the authentication into a tuple
containing the 'realm', 'entity', and 'credentials'. (I think the
terms may have come from Kerberos.) In practice, the realm might
translate to a (virtual) domain, the entity to a userid, and the
credentials to a password or fields from a client certificate. Or
the entity might be a program - e.g., Apache normally authenticates
itself to mysql as 'httpd'. You can basicly think of realms as
separate namespaces in which the other portions of the tuple exist.

> If sasldb has some kind of database-like interface, it could perhaps be
> accessed from Exim by some new kind of lookup.


I think the sasldb is just a dbm (or similar) file that could
probably be accessed by Exim's existing lookups. The problem
is that I think its internal data structure (keys, fields, etc.)
isn't part of the published API and may change between releases.
I think this has already happened once. Using the library makes
it easier to keep in sync.

Hmm. I suppose you could add an explicit sasldb lookup and use
libsasl to access it without necessarily using the protocol
portions of the library. That would also give you a chance to
find out more about what the library provides and make it easier
to decide whether to replace existing code.


-Pat