Re: [exim] GNU SASL gsasl integration into Exim

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-users, exim-dev
Subject: Re: [exim] GNU SASL gsasl integration into Exim
On 2012-02-13 at 21:52 -0500, Phil Pennock wrote:
>  (5) Exim currently can not use a string with embedded NULs, supplied in
>      configuration, for DB lookups, so you can *not* just use the gsasl
>      driver to talk directly to sasldb2 and cut over.  It would be
>      informative to see expressions of serious interest by users who
>      want this, so that we can judge the importance of this work.


There is now a "dbmjz" branch in Exim's git repository which adds the
"dbmjz" lookup type. This new type is very similar to dbmnz, except
that the key is interpreted as an Exim list, the items of which are
joined together with ASCII NUL characters.

I can successfully authenticate to Exim using:

auth_cram_own:
  driver        = cram_md5
  public_name   = CRAM-MD5
  server_secret = ${lookup{$auth1:imap.spodhuis.org:userPassword}\
                    dbmjz{/usr/local/etc/sasldb2}{$value}fail}
  server_set_id = $auth1


Note here that "imap.spodhuis.org" is the server realm as used by my
Cyrus install, whereas "userPassword" is a literal string.

You need to make sure that the Exim run-time user has read access to the
sasldb2 file.

This also works with the new gsasl authenticator, so that with gsasl and
dbmjz you should be able to migrate from Cyrus SASL to GNU SASL while
using the same password stores.

This is not a commentary on Cyrus SASL: Exim supports multiple TLS
providers, multiple authenticators, etc. It's just that now we have the
GPL'd gsasl driver and a way for administrators to switch to this in
practice, rather than creating a lot of migration work.

Regards,
-Phil