[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH

To: openldap-software@OpenLDAP.org
Subject: Re: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: Fri, 10 Oct 2003 12:12:31 +0200
In-reply-to: <3F864822.3040109@billy.demon.nl>
References: <009801c38eb4$6c86d8e0$8601a8c0@CELLO> <3F864822.3040109@billy.demon.nl>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624

Tony Earnshaw wrote:

And Howard's ldapdb auxprop 1.9 still doesn't work, get the
same fault.


Howard Chu:

The ldapdb auxprop requires proxy authorization privileges, as it states in the README file.
I'll recompile the old one today and come back afterward. It's important for Postfix that there is ldap-based MD5 AUTH with standard (???!) - i.e. not 2.1.13 patched auxprop SASL libs, since these don't seem to work on RH 9.0 for some reason.

Thanks for stepping in!


O.k. Shortly: DIGEST-MD5 and CRAM-MD5 (the latter necessary for some
MUAs) work now - but not exactly as I'd like. Nevertheless, I can now
use the latest Postfix snapshots with Cyrus SASL 2.1.15 on RH 9 and thus
avoid the re-entrance problems of the 2.1.13 that I was experiencing.

The reason for the SASL regexp not working, seems to be that my DIT is based on DNs with CNs, not UIDs. Putting *only one single* DN of the type 'uid=arbitrator,dc=billy,dc=demon,dc=nl' effed up my whole database, so I could not go that way. I did try, every whichway I knew.

Leaving my slapd.conf 'sasl-regexp uid=(.*),cn=.*,cn=auth
"ldap:///dc=billy,dc=demon,dc=nl??sub?uid=admin";' as it is, I can use DN
cn=admin,dc=billy,dc=demon,dc=nl as SASL proxy, no problem. admin is my
proxy for other non-SASL related things as well, including some Postfix
LDAP-based maps.

Howard's ldapdb 1.9 does *not* work with the above. However, the version
shipped with Openldap 2.1.22 *does* work and authenticates with Postfix
snapshot 2.0.16-20030921 and MD-5. Pity about the starttls, but smtp
starttls can be used (compiled into Postfix) for smtp AUTH and anyway
DIGEST-MD5 should obviate the need for extra security - though TLS
encryption may well be necessary for "man-in-the-middle" mail sniffing.
All my Postfix LDAP stuff has STARTTLS "on" (available only in the
latest snapshot) and the proxy user's details are only available to root.

Many thanks to Howard, Igor and Quanah and to Andrew F. - I guess it is
- for the SASL part of the Admin guide.

--Tonni

--
Tony Earnshaw

Once the camel's head has entered your tent,
it's very difficult to stop the rest of the
animal from following it

http://www.billy.demon.nl
Mail: billy-at-billy.demon.nl

Follow-Ups:
- Re: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH
  - From: Tony Earnshaw <tonni@billy.demon.nl>

References:
- RE: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH
  - From: "Howard Chu" <hyc@symas.com>
- Re: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: RE: back-bdb cachesize and DB_CONFIG set_cachesize
Next by Date: How a client should handle the returned updateref ( was: Can sla ve forward a modify request to the Master ?)
Index(es):
- Chronological
- Thread