From: Simon Matter (simon dot matter at ch dot sauter-bc dot com)
Date: Thu Jun 17 2004 - 01:52:23 EDT
> Simon Matter wrote:
>>>Let's make a summary of my requirements then:
>>>1) shell access, imap access and stmp auth for all users
>> no problem with userPassword as SSHA in LDAP
> Why specificaly SSHA ? I guess any kind of encrypting should be OK, no ?
Sure, every crypt method works (only SSHA is the most common today).
>>>2) no single password transmittable in clear text
>> no problem with ssh, imap/tls, smtp/starttls does it, transport
>> is the key here
> And then just login autentication methods, OK. Is there a way to prevent
> stmp auth over plain smtp however, and force smtps only ?
I'm using it only with postfix where you have to let postfix advertise
smtpauth only if the connection has proceeded starttls and is encrypted.
No password is going over the wire in cleartext. You may check out the
following options in postfix for this to work:
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_use_tls = yes
smtpd_tls_auth_only = yes