Exim 4 and GSSAPI

Andreas Metzler ametzler at bebt.de
Fri Nov 15 15:43:46 GMT 2024 

On 2024-11-14 Simon Josefsson <simon at josefsson.org> wrote:
> Andreas Metzler <ametzler at bebt.de> writes:
[...]
>> Debian's exim binary packages do not have either of them enabled, you
>> would need to compile the binary yourself.

> That's somewhat challenging?  Today libgsasl doesn't link with
> MIT/Heimdal by default, but instead opens them via dlopen() through
> libgssglue, maybe it would be acceptable for exim in debian to support
> GSSAPI via gsasl this way?  I think this was discussed before with some
> argument that mixing Cyrus SASL and GNU SASL in the same binary was a
> problem, but I don't understand that argument.  To me it is like saying
> mixing libz and libzstd in the same binary is problematic.

Hello Simon,

yes, I agree that is not a /very/ good argument. I have a couple of
thoughts about this:
There is a soft limit on the number of build-dependencies exim can
use. If we built against all possible external dependencies the exim
source packages would end up being entangled in all transitions and
would often be blocked from testing migration due to a dependency's
(or dependency's dependency's) rc bug.

Similar restriction apply to binary package's dependencies,
exim4-daemon-heavy already goes pretty much overboard there. (This
might get simpler in the next exim major release which will allow
building many things as loadable modules. But only if we drop dynamic
loading of local_scan.)

To me exim's authenticator list looks very messy:
1 There is a couple of built in ones (plain/login, cram-md5, spa,
  external and the special pseudo-authenticator TLS) with strange
  user interface (just look at the examples for AUTH login). All of
  these (except TLS) offer client- and server-side. Upstream is very
  reluctant to extend this list (e.g. to support scram-sha-256).
2 heimdal exists, but the docs are not very enlightening.
3 cyrus-sasl and dovecot allow to use the respective IMAP-daemon's
  authentication data. These are very powerful since the IMAP-daemons
  already support many, many backends.
4 There is also saslauthd as an alternative and extension to the cyrus-sasl
  authenticator.
5 And then there is gsasl.
LDAP, SQL, ... and PAM can be used as lookups in combination of
especially (1).
(1) are server- and client-side (i.e. outgoing SMTP), the others are
server-side only, except for GSASL.

The Debian packages have support for some of (1) and (4) in -light and
most of above except for heimdal and gsasl in -heavy. I am quite
reluctant to change this by dropping something, since this would break
somebody's usecase.

I do not think gsasl would offer a lot of additional functionality to
the present set, the only thing I can see is more algorithms for
outgoing SMTP, the rest should already be possible via saslauthd (even
GSS-API). Gsasl/exim does not seem to be very popular, howto docs are
hard to find. It would not help for the PAM-permission problem (exim
cannot read /etc/shadow) as a helper binary like saslauthd can. I
suspect for most users dovecot authentication is the best choice
currently.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-exim4-users mailing list