[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Postfix 2.0.16 CRAM/DIGEST-MD5 SMTP AUTH

Tony Earnshaw wrote:

And Howard's ldapdb auxprop 1.9 still doesn't work, get the
same fault.

Howard Chu:

The ldapdb auxprop requires proxy authorization privileges, as it states in
the README file.

I'll recompile the old one today and come back afterward. It's important for Postfix that there is ldap-based MD5 AUTH with standard (???!) - i.e. not 2.1.13 patched auxprop SASL libs, since these don't seem to work on RH 9.0 for some reason.

Thanks for stepping in!

O.k. Shortly: DIGEST-MD5 and CRAM-MD5 (the latter necessary for some MUAs) work now - but not exactly as I'd like. Nevertheless, I can now use the latest Postfix snapshots with Cyrus SASL 2.1.15 on RH 9 and thus avoid the re-entrance problems of the 2.1.13 that I was experiencing.

The reason for the SASL regexp not working, seems to be that my DIT is based on DNs with CNs, not UIDs. Putting *only one single* DN of the type 'uid=arbitrator,dc=billy,dc=demon,dc=nl' effed up my whole database, so I could not go that way. I did try, every whichway I knew.

Leaving my slapd.conf 'sasl-regexp uid=(.*),cn=.*,cn=auth
"ldap:///dc=billy,dc=demon,dc=nl??sub?uid=admin";' as it is, I can use DN
cn=admin,dc=billy,dc=demon,dc=nl as SASL proxy, no problem. admin is my
proxy for other non-SASL related things as well, including some Postfix
LDAP-based maps.

Howard's ldapdb 1.9 does *not* work with the above. However, the version
shipped with Openldap 2.1.22 *does* work and authenticates with Postfix
snapshot 2.0.16-20030921 and MD-5. Pity about the starttls, but smtp
starttls can be used (compiled into Postfix) for smtp AUTH and anyway
DIGEST-MD5 should obviate the need for extra security - though TLS
encryption may well be necessary for "man-in-the-middle" mail sniffing.
All my Postfix LDAP stuff has STARTTLS "on" (available only in the
latest snapshot) and the proxy user's details are only available to root.

Many thanks to Howard, Igor and Quanah and to Andrew F. - I guess it is
- for the SASL part of the Admin guide.


Tony Earnshaw

Once the camel's head has entered your tent,
it's very difficult to stop the rest of the
animal from following it

Mail: billy-at-billy.demon.nl