Re: [Exim] saslauthd - I love it!

Top Page
Delete this message
Reply to this message
Author: Matthew Byng-Maddick
Date:  
To: exim-users
Subject: Re: [Exim] saslauthd - I love it!
On Wed, Apr 28, 2004 at 12:02:28PM +0100, Matt Bernstein wrote:
> At 10:56 +0100 Matthew Byng-Maddick wrote:
>
> >Even better is to use:
> > http://colon.colondot.net/~mbm/ald-stuff/exim.cyrussasl.patch
> This looks good--from a cursory glance, it looks like it offers whatever
> mechanisms SASL offers. Have you tried this with DIGEST-MD5 or GSSAPI?


I haven't yet, because I don't have clients which I know to support them.

It is, however, just taking the mechanism straight from whatever cyrus
libsasl thinks. The bit I haven't included in the documentation (partly,
at least, because I'm not quite sure where it fits) is that the SASL name
(and hence Cyrus's own config) for the service is "Exim", so you may find
you need a /usr/lib/sasl/Exim.conf (The path is supposed to be standardised)

> [ I'm looking at switching our setup to krb5 over the summer, by which
> time we may, possibly, have a Kerberised Thunderbird too :) ]


Right.

> Have you any intentions of including client code? At this point I for one
> would like to see it in Exim proper.


My problem is that I've never really tried to use Cyrus SASL in a client
before, and although the documentation and examples seem to be reasonably
comprehensive where servers are concerned, I'm not quite as sure of myself
(and how to test it) where clients are concerned. I would like to write
client code though, if Cyrus SASL will support it reasonably.

> Thanks for the patch!


I flagged it here before, but I got the impression that it hadn't
necessarily had the coverage I wanted it to have.

There is one feature that I think it's really missing, which is to use
Exim's own TLS settings to feed into its security level, so that if you
set up Cyrus SASL to apply penalties for plaintext passwording, Plain/TLS
in exim will currently have that penalty. I need to do some reading of some
of the other SASL-based server mechanisms to see how I can get round this
(I think it's relatively easy, though the parameter in question varies from 0
to 255, and I need to find out what the relative strengths are...).

Cheers

Matthew

--
Matthew Byng-Maddick          <mbm@???>           http://colondot.net/
                      (Please use this address to reply)