on a similar note: enabling CRAM-MD5 auth for postfix+cyrus-imap+auxprop+mysql w/ encrypted passwords?

From: OpenMacNews (cyrus-sasl dot 20 dot openmacnews at spamgourmet dot com)
Date: Thu Nov 11 2004 - 18:32:58 EST

Next message: Howard Chu: "Re: on a similar note: enabling CRAM-MD5 auth for postfix+cyrus-imap+auxprop+mysql w/ encrypted passwords?"

Previous message: Dieter Kluenter: "Re: Sendmail + saslauthd + ldap: Usable with cram-md5?"
Next in thread: Howard Chu: "Re: on a similar note: enabling CRAM-MD5 auth for postfix+cyrus-imap+auxprop+mysql w/ encrypted passwords?"
Reply: Howard Chu: "Re: on a similar note: enabling CRAM-MD5 auth for postfix+cyrus-imap+auxprop+mysql w/ encrypted passwords?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

hi all,

i've recently built up:

        cyrus-imap-2.2.8
        cyrus-sasl-2.1.20
        mysql-4.1.7
        postfix-2.2-20041030
        bdb-4.3.21/crypto

on OSX 10.3.6.

(a) i've set up for sealed-only virtual domains & accounts.

(b) sasl's been patched to support crypt'd sql passwords via PLAIN auth with Brane Gračnar's patches @ http://frost.ath.cx/software/cyrus-sasl-patches/ :

patch#1: dist/2.1.19/cyrus-sasl-2.1.19-checkpw.c.patch

and,

patch#2: dist/2.1.19/cyrus-sasl-2.1.19-sql.c.patch

password_format: crypt # to smtpd.conf
sasl_password_format: crypt # to imapd.conf

(d) i'm front-ending with web-cyradm, using encrypted pwds in mysql

(e) i'm using auxprop+sql for pwdcheck method directly, circumventing saslauthd and/or sasldb.

now, at the moment, my imap client (Mulberry4a3, fwiw) is authenticating via PLAIN over TLSv1 -- or without TLS, of course -- without any problems.

if, however, i enable CRAM-MD5 & DIGEST-MD5 auth mechs in imapd.conf & smtpd.conf, and attempt to login via imap client, i get a "NO authenitcation" error in the client, and

imap[565]: badlogin: testserver.internal.testdomain.com [10.0.0.6] CRAM-MD5 [SASL(-13): authentication failure: incorrect digest response]

in my cyrus log.

now, IIUC, this may not be a surprise to some, as --apparently -- use of cyrus secret-based auth requires pwds to be plaintext (i'm fuzzy on the why ..).

workarounds seemingly include using courier's autdaemond, but that's not my goal ...

    ###############
    ## QUESTION(s):
        (1) what needs to change in Cyrus in order to enable secret-based auth using
            encrypted pwds?

        i presume SOMETHING needs to be patched ...
        (2) does a patch for this exist already? if so, can someone here provide
            a pointer URL?

        given what i've read online, storing NOTHING in plaintext is a farily
        common policy, and use of mysql in this scenario is broadening ... so i'd
        propose that it's not unreasonable that others would like to see such a
        solution as well.
        (3) what will it take to get such support built directly into Cyrus?

the Cyrus maintainers suggested that i put this forth _here_ on the list, and that sufficient discussion _might_ raise this on their priority list (it's apparently not that high, at the moment ...)

thoughts? suggestions?

cheers,

richard

Next message: Howard Chu: "Re: on a similar note: enabling CRAM-MD5 auth for postfix+cyrus-imap+auxprop+mysql w/ encrypted passwords?"

Previous message: Dieter Kluenter: "Re: Sendmail + saslauthd + ldap: Usable with cram-md5?"
Next in thread: Howard Chu: "Re: on a similar note: enabling CRAM-MD5 auth for postfix+cyrus-imap+auxprop+mysql w/ encrypted passwords?"
Reply: Howard Chu: "Re: on a similar note: enabling CRAM-MD5 auth for postfix+cyrus-imap+auxprop+mysql w/ encrypted passwords?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Invaluement Anti-Spam DNSBLs