From: Andreas Winkelmann (no email)
Date: Tue May 17 2005 - 14:50:03 EDT
Am Tuesday 17 May 2005 18:56 schrieb Jason Walker:
> > If you want to use more than one Domain-Part, saslauthd is not the right
> > choice and you should use the sql Auxprop-Plugin. (This will unpatched
> > only work with unencrypted Passwords).
> Why wouldn't saslauthd be the best way to do this? I am presently trying
Because of this Feature with the Domain Part in the Username. The Library will
loose the part behind the @. If you use auxprop and in the case above the
sql-Auxprop Plugin, the Username will arrive complete at the Backend.
Another disadvantage is the limiting to plain and login if you want to use
saslauthd. plain or login means the Password passes almost unencrypted the
Line. You have to use TLS/SSL for security.
> to setup an environment where saslauthd authenticates against kerberos5
> for users, so as far as I know this is the only way for Postfix or
Client sends Username/Password in cleartext through the wire. saslauthd
connects to Kerberos and verifies the Password.
> cyrus-imap to use kerberos5. Is there a reason auxprop-plugin would be
> better, and will that work with kerberos5?
GSSAPI uses the already issued Kerberos-Ticket. No Password crosses the Line.