Cyrus SASL and exim4

Ross Boylan ross at biostat.ucsf.edu
Fri Jan 11 14:30:07 UTC 2008 

On Fri, 2008-01-11 at 12:13 +0200, Fabian Fagerholm wrote:
> I don't think you need to create /etc/sasl to get Exim working with
> Cyrus SASL. According to the package description, the Debian Exim
> packages have Cyrus SASL in the exim4-daemon-heavy package, so you
> should be able to get it to work by just following the Exim docs.
> 
exim4-daemon-heavy doesn't ship with any sasl configuration files.
exim4-config includes a template for a cyrus-sasl authenticator, but it
says
# Authentcate against cyrus-sasl
# This is mainly untested, please report any problems to
# pkg-exim4-users at lists.alioth.debian.org.

It has SASL support in the sense that the binary is compiled with that
option enabled.
> A general warning about Cyrus SASL is that there is a *lot* of outdated
> documentation out there. It's mostly usable, but things become confusing
> when the path names don't match the current scheme.
> 

I got hung up on two points.  First, I didn't realize I needed an
exim-specific SASL configuration file.  I thought it could use the
parameters in my imap configuration, mostly because I was thinking of
SASL as a daemon rather than a library.

The second problem, finally solved with some help from the (regular, not
Debian) exim list, was that I didn't have the right realm.
sasldblistusers2 showed the names had the form
name at hostname
where hostname is just the first part of the FQDN.  So the exim
authenticator needed to be configured with
cram_md5_sasl_server:
  driver = cyrus_sasl
  public_name = CRAM-MD5
  server_set_id = $auth1
  server_realm = corn
in my case.  The template was
# cram_md5_sasl_server:
#   driver = cyrus_sasl
#   public_name = CRAM-MD5
#   server_realm = <short main hostname>
#   server_set_id = $auth1
I guess I find out what "short" meant on the realm.

I was a  bit surprised to find it was not the FQDN; I created sasldb
following the instructions I could find.  I'm also surprised Cyrus is
working with that realm.  (Also, I would have guessed that the realm
only mattered for Kerberos, but then I don't know sasl too well).

My network and machine name were not properly setup in the early life of
my system, and I may have created the sasldb during that period.

Is the unqualified hostname usually the realm?


P.S. My email to fabbe at paniq.net was rejected.  A deliberate
misspelling?

More information about the Pkg-cyrus-sasl2-debian-devel mailing list