Loading ...
Sorry, an error occurred while loading the content.

Re: Fw: sasldb or PAM

Expand Messages
  • Patrick Ben Koetter
    ... sasldb must be read/write protected from other uses, but remain readable to the user postfix or one of the groups it is in e.g. group sasl. sasldb must
    Message 1 of 2 , Nov 7, 2011
    • 0 Attachment
      * gaby <gaby@...>:
      > I use TLS withPAM,but what is disadvantage PAM versus sasldb ?
      > Sasldb is more security?

      sasldb must be read/write protected from other uses, but remain readable to
      the user postfix or one of the groups it is in e.g. group sasl.
      sasldb must reside on the same machine as the Postfix instance that uses
      sasldb.

      With PAM you can access various backends. It depends on the backend you use.
      If you use system accouts, I'd say sasldb is more secure, because it separates
      mail accounts from system accounts. If the backend is a database on a
      different host, it may be more secure.

      It depends on your PAM backend.

      p@rick




      >
      > ----- Original Message -----
      > From: Patrick Ben Koetter
      > To: postfix-users@...
      > Sent: Monday, November 07, 2011 11:06 AM
      > Subject: Re: sasldb or PAM
      >
      >
      > * gaby <gaby@...>:
      > > I use PAM authentication method for send emal via postfix with Cyrus Sasl.
      > > If use sasldb2 method instead PAM,it is more secure, or more Ok?Sasdb is
      > > more usable?
      >
      > There are two sections you need to pay attention for:
      >
      > 1. Transmission of identification data over the network
      > 2. Storage of authentication data in a backend, where libsasl can access and
      > verify the identification data.
      >
      > The most secure method with regular clients is 1) to use PLAIN and LOGIN over
      > a TLS secured transport layer and 2) store authentication data crypted. sasldb
      > can do that and PAM can do that too.
      >
      > Everything else means a tradeoff. If you use 1) CRAM-MD5 and NTLM you can send
      > identification data over a transport layer that isn't TLS protected, but you
      > will have to store passwords in plaintext, because the mechanisms CRAM-MD5 and
      > NTLM require access to plaintext password for comparison.
      >
      > p@rick
      >
      >
      > --
      > All technical questions asked privately will be automatically answered on the
      > list and archived for public access unless privacy is explicitely required and
      > justified.
      >
      > saslfinger (debugging SMTP AUTH):
      > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

      --
      All technical questions asked privately will be automatically answered on the
      list and archived for public access unless privacy is explicitely required and
      justified.

      saslfinger (debugging SMTP AUTH):
      <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
    Your message has been successfully submitted and would be delivered to recipients shortly.