Cyrus-SASL Help Here?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Cyrus-SASL Help Here?

Rich Shepard
   The pre-built Slackware package installed here for cyrus-sasl-2.1.22 is
too limited. I downloaded the source, configured and tried to run 'make'.
But, I get errors.

   Can I get help with this on this mail list?

Rich

--
Richard B. Shepard, Ph.D.               |  Integrity            Credibility
Applied Ecosystem Services, Inc.        |            Innovation
<http://www.appl-ecosys.com>     Voice: 503-667-4517      Fax: 503-667-8863
Reply | Threaded
Open this post in threaded view
|

Re: Cyrus-SASL Help Here?

Victor Duchovni
On Tue, Jun 17, 2008 at 11:44:01AM -0700, Rich Shepard wrote:

>   The pre-built Slackware package installed here for cyrus-sasl-2.1.22 is
> too limited. I downloaded the source, configured and tried to run 'make'.
> But, I get errors.
>
>   Can I get help with this on this mail list?

Building SASL is a nightmare. Leave it to the distribution release
engineers. Replacing the bundled "libtool" with a much more recent
"libtool" may help, but is not easy.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: Cyrus-SASL Help Here?

Rich Shepard
On Tue, 17 Jun 2008, Victor Duchovni wrote:

> Building SASL is a nightmare. Leave it to the distribution release
> engineers. Replacing the bundled "libtool" with a much more recent
> "libtool" may help, but is not easy.

   Thank you, Victor. I'll rebuild the package from the distribution.

Rich

--
Richard B. Shepard, Ph.D.               |  Integrity            Credibility
Applied Ecosystem Services, Inc.        |            Innovation
<http://www.appl-ecosys.com>     Voice: 503-667-4517      Fax: 503-667-8863
Reply | Threaded
Open this post in threaded view
|

Re: Cyrus-SASL Help Here?

ktm@rice.edu
In reply to this post by Victor Duchovni
On Tue, Jun 17, 2008 at 02:51:48PM -0400, Victor Duchovni wrote:

> On Tue, Jun 17, 2008 at 11:44:01AM -0700, Rich Shepard wrote:
>
> >   The pre-built Slackware package installed here for cyrus-sasl-2.1.22 is
> > too limited. I downloaded the source, configured and tried to run 'make'.
> > But, I get errors.
> >
> >   Can I get help with this on this mail list?
>
> Building SASL is a nightmare. Leave it to the distribution release
> engineers. Replacing the bundled "libtool" with a much more recent
> "libtool" may help, but is not easy.
>
> --
> Viktor.
>
I will second that statement. We build a local version of cyrus-sasl-2.1.22
here because of a need for cross-platform support together with Heimdal
Kerberos support. It can be done but you may need a few iterations before
it works well. Good luck.

Cheers,
Ken

Reply | Threaded
Open this post in threaded view
|

Re: Cyrus-SASL Help Here?

Rich Shepard
On Tue, 17 Jun 2008, Kenneth Marshall wrote:

> I will second that statement. We build a local version of
> cyrus-sasl-2.1.22 here because of a need for cross-platform support
> together with Heimdal Kerberos support. It can be done but you may need a
> few iterations before it works well. Good luck.

Ken,

   Luck not as necessary as thinking. :-)

   I looked in the distribution's cyrus-sasl.SlackBuild script and modified
it based on the ./configure options in the Postfix book. That turned out to
be a mistake; bad executable, no libs, no mail.

   Then I cleaned up the script, adding only those mechanisms not included by
default (the one default is 'login'), and rebuilt the package.
Removed/reinstalled and now 'saslauthd -v' reports:

saslauthd 2.1.22
authentication mechanisms: getpwent kerberos5 pam rimap shadow

which is fine.

   I still don't know if I want to stick with saslauthd for our little domain
or use the plugins. I need advice on that.

Thanks,

Rich

--
Richard B. Shepard, Ph.D.               |  Integrity            Credibility
Applied Ecosystem Services, Inc.        |            Innovation
<http://www.appl-ecosys.com>     Voice: 503-667-4517      Fax: 503-667-8863
Reply | Threaded
Open this post in threaded view
|

Re: Cyrus-SASL Help Here?

Jorey Bump
In reply to this post by Rich Shepard
Rich Shepard wrote, at 06/17/2008 02:44 PM:
>   The pre-built Slackware package installed here for cyrus-sasl-2.1.22 is
> too limited. I downloaded the source, configured and tried to run 'make'.
> But, I get errors.
>
>   Can I get help with this on this mail list?

How is it limited? What version of Slackware are you using? On 12.0, the
only change I needed to make was to switch to /dev/urandom because
/dev/random was blocking due to insufficient entropy.

What mechanisms do you need to support?

Reply | Threaded
Open this post in threaded view
|

Re: Cyrus-SASL Help Here?

Rich Shepard
On Tue, 17 Jun 2008, Jorey Bump wrote:

> How is it limited? What version of Slackware are you using? On 12.0, the
> only change I needed to make was to switch to /dev/urandom because
> /dev/random was blocking due to insufficient entropy.

Jorey,

   The default was only shadow. I modified the SlackBuild script to add more
mechanisms for flexibility. Changing the script and rebuilding the package
worked flawlessly.

   Still running -11.0, but plan to upgrade to -12.1 Real Soon Now.

Thanks,

Rich

--
Richard B. Shepard, Ph.D.               |  Integrity            Credibility
Applied Ecosystem Services, Inc.        |            Innovation
<http://www.appl-ecosys.com>     Voice: 503-667-4517      Fax: 503-667-8863
Reply | Threaded
Open this post in threaded view
|

Re: Cyrus-SASL Help Here?

Jorey Bump
In reply to this post by Rich Shepard
Rich Shepard wrote, at 06/17/2008 03:36 PM:

>   I still don't know if I want to stick with saslauthd for our little
> domain
> or use the plugins. I need advice on that.

My own preference was to isolate mail users from the system, so I
switched to Cyrus IMAPd and use sasldb2 for authentication. This allows
me to extend the mechanisms I offer to PLAIN, LOGIN, CRAM-MD5, &
DIGEST-MD5. Modern clients tend to default to a stronger mechanism, if
available, so client configuration is simpler and more flexible (I also
enforce a high security level, to discourage any attempts to send
unencrypted plaintext logins).

Another advantage to ditching saslauthd is that it represents a single
point of failure, adding one more daemon to troubleshoot. In its favor,
saslauthd can use the encrypted passwords in /etc/shadow, but I dislike
creating system users just for mail, even if they are assigned something
like /bin/false as a shell.


Reply | Threaded
Open this post in threaded view
|

Re: Cyrus-SASL Help Here?

Rich Shepard
On Tue, 17 Jun 2008, Jorey Bump wrote:

> My own preference was to isolate mail users from the system, so I switched
> to Cyrus IMAPd and use sasldb2 for authentication. This allows me to
> extend the mechanisms I offer to PLAIN, LOGIN, CRAM-MD5, & DIGEST-MD5.
> Modern clients tend to default to a stronger mechanism, if available, so
> client configuration is simpler and more flexible (I also enforce a high
> security level, to discourage any attempts to send unencrypted plaintext
> logins).

   Good points, Jorey. When I get time I'll read up on the Cyrus IMAPd and
sasldb2 and install them.

> Another advantage to ditching saslauthd is that it represents a single
> point of failure, adding one more daemon to troubleshoot. In its favor,
> saslauthd can use the encrypted passwords in /etc/shadow, but I dislike
> creating system users just for mail, even if they are assigned something
> like /bin/false as a shell.

   True. We're only two users here with a few aliases so it's not a really
big issue.

Many thanks,

Rich

--
Richard B. Shepard, Ph.D.               |  Integrity            Credibility
Applied Ecosystem Services, Inc.        |            Innovation
<http://www.appl-ecosys.com>     Voice: 503-667-4517      Fax: 503-667-8863