Re: Fw: sasldb or PAM
- * gaby <gaby@...>:
> I use TLS withPAM,but what is disadvantage PAM versus sasldb ?sasldb must be read/write protected from other uses, but remain readable to
> Sasldb is more security?
the user postfix or one of the groups it is in e.g. group sasl.
sasldb must reside on the same machine as the Postfix instance that uses
With PAM you can access various backends. It depends on the backend you use.
If you use system accouts, I'd say sasldb is more secure, because it separates
mail accounts from system accounts. If the backend is a database on a
different host, it may be more secure.
It depends on your PAM backend.
> ----- Original Message -----
> From: Patrick Ben Koetter
> To: postfix-users@...
> Sent: Monday, November 07, 2011 11:06 AM
> Subject: Re: sasldb or PAM
> * gaby <gaby@...>:
> > I use PAM authentication method for send emal via postfix with Cyrus Sasl.
> > If use sasldb2 method instead PAM,it is more secure, or more Ok?Sasdb is
> > more usable?
> There are two sections you need to pay attention for:
> 1. Transmission of identification data over the network
> 2. Storage of authentication data in a backend, where libsasl can access and
> verify the identification data.
> The most secure method with regular clients is 1) to use PLAIN and LOGIN over
> a TLS secured transport layer and 2) store authentication data crypted. sasldb
> can do that and PAM can do that too.
> Everything else means a tradeoff. If you use 1) CRAM-MD5 and NTLM you can send
> identification data over a transport layer that isn't TLS protected, but you
> will have to store passwords in plaintext, because the mechanisms CRAM-MD5 and
> NTLM require access to plaintext password for comparison.
> All technical questions asked privately will be automatically answered on the
> list and archived for public access unless privacy is explicitely required and
> saslfinger (debugging SMTP AUTH):
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
saslfinger (debugging SMTP AUTH):