Loading ...
Sorry, an error occurred while loading the content.

Re: sasldb or PAM

Expand Messages
  • Patrick Ben Koetter
    ... There are two sections you need to pay attention for: 1. Transmission of identification data over the network 2. Storage of authentication data in a
    Message 1 of 2 , Nov 7, 2011
    • 0 Attachment
      * gaby <gaby@...>:
      > I use PAM authentication method for send emal via postfix with Cyrus Sasl.
      > If use sasldb2 method instead PAM,it is more secure, or more Ok?Sasdb is
      > more usable?

      There are two sections you need to pay attention for:

      1. Transmission of identification data over the network
      2. Storage of authentication data in a backend, where libsasl can access and
      verify the identification data.

      The most secure method with regular clients is 1) to use PLAIN and LOGIN over
      a TLS secured transport layer and 2) store authentication data crypted. sasldb
      can do that and PAM can do that too.

      Everything else means a tradeoff. If you use 1) CRAM-MD5 and NTLM you can send
      identification data over a transport layer that isn't TLS protected, but you
      will have to store passwords in plaintext, because the mechanisms CRAM-MD5 and
      NTLM require access to plaintext password for comparison.

      p@rick


      --
      All technical questions asked privately will be automatically answered on the
      list and archived for public access unless privacy is explicitely required and
      justified.

      saslfinger (debugging SMTP AUTH):
      <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
    Your message has been successfully submitted and would be delivered to recipients shortly.