On Mon, 2004-05-31 at 15:47, Farkas Levente wrote:
my main question here (as always) why we need sasl at all? what is the main pros for sasl? I've never seen any good reason.
SMTP AUTH is done with SASL, so IP-address restrictions and POP/IMAP-before-SMTP are the only alternatives.
SASL is really just a list of requirements for an authentication mechanism to be SASL compatible. There are plaintext SASL mechanisms (PLAIN, LOGIN) which are commonly used with SMTP authentication.
When talking about SASL library it usually does much more than just implement the few SASL mechanisms. It has to know how to verify the passwords and where to find user's home directory etc. dovecot-auth for example consists of:
# user/password databases (pam, ldap, sql, ..) ~/cvs/dovecot/src/auth% wc -l db-*.c|tail -1 975 total ~/cvs/dovecot/src/auth% wc -l userdb*.c|tail -1 881 total ~/cvs/dovecot/src/auth% wc -l passdb*.c|tail -1 1497 total # password matching functions (crypt, md5, ..) ~/cvs/dovecot/src/auth% wc -l password*.c|tail -1 475 total # sasl authentication mechanisms ~/cvs/dovecot/src/auth% wc -l mech-*.c 82 mech-anonymous.c 251 mech-cram-md5.c 250 mech-cyrus-sasl2.c 652 mech-digest-md5.c 136 mech-plain.c 1371 total
Only the mech-*.c files are SASL mechanism specific code. ANONYMOUS could be done pretty much by sending username "anonymous" and empty password. CRAM-MD5 and DIGEST-MD5 aren't really useful if SSL is being used, except with them server never sees the plaintext password. What could actually be very useful are Kerberos and OTP mechanisms, if someone just implemented them.
anyway why do you use dovecot-auth for postfix? postfix has many authentication mechanism for everything.
AFAIK Postfix uses only Cyrus SASL library for authentication, it hasn't implemented anything internally and it doesn't support any other library (and there aren't many). And Cyrus SASL was the thing I've always disliked.
It also means less configuration.