Postfix with Cyrus SASL

Paul Schmehl pauls at utdallas.edu
Thu Jan 10 14:18:09 PST 2008 

--On Thursday, January 10, 2008 17:01:03 -0500 Gerard <gerard at seibercom.net> 
wrote:

> On Thu, 10 Jan 2008 15:46:33 -0600
> Shawn Barnhart <swb at grasslake.net> wrote:
>
>> Paul Schmehl wrote:
>> > It should, because it calls this:
>> >
>> > .if defined(WITH_SASL2)
>> > LIB_DEPENDS+=           sasl2.2:${PORTSDIR}/security/cyrus-sasl2
>> > POSTFIX_CCARGS+=        -DUSE_SASL_AUTH -DUSE_CYRUS_SASL
>> > -I${LOCALBASE}/include -I${LOCALBASE}/include/sasl
>> > POSTFIX_AUXLIBS+=       -L${LOCALBASE}/lib -lsasl2 -lpam -lcrypt
>> > .endif
>> >
>> > Yes, you need to install saslauthd, however, if you checked the
>> > OPTION when you installed Postfix, it's most likely already
>> > installed.  You *also* need to enable saslauthd in /etc/rc.conf:
>> >
>> > [root at mail /usr/ports/mail/postfix]# grep sasl /etc/rc.conf
>> > saslauthd_enable="YES"
>> > saslauthd_flags=" -a pam -n 2"
>> >
>> > (This uses /etc/passwd through pam, btw.)
>> >
>> > Look at /usr/local/etc/rc.d/saslauthd.sh for the options and flags
>> > available or read man (8) saslauthd.
>> >
>>
>> Either I'm totally fubar, or the ports snapshot I have is braindead
>> as I did select the SASL option when I built postfix and I have sasl
>> libs in /usr/local/lib and /usr/local/lib/sasl2 but none of the other
>> sasl components are installed.  No saslauthd in /usr/local/etc/rc.d,
>> no manpage, just libraries mentioned above, and my postfix smtpd does
>> appear to have a sasl library run-time dependency per ldd.
>>
>> Is the better fix to manually re-install the same Cyrus sasl port or
>> deinstall both it and postfix and rebuild postfix with the sasl
>> option and hope I get a complete build?
>
> It has been awhile; however, if I remember correctly, the 'saslauthd'
> daemon is not installed by Postfix. I think you are confusing this with
> SASL in general. You might want to read the 'Complete Book of Postfix"
> for further information on getting SASL up and running. BTW, unless it
> has changes, 'saslauthd' only handles plain text authentication.

I think you're right.  It's been a while for me as well, but looking at ports I 
see that there's a totally separate cyrus-sasl2-saslauthd port, and it doesn't 
appear to be a dependency for postfix.

I think saslauthd will handle kerberos as well as plaintext, but most people 
use plaintext and then ssl-ize postfix to encrypt the session.

-- 
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

More information about the freebsd-questions mailing list