Discussion:
different sasl_mech_lists for imap and http?
Pim Zandbergen
2018-10-11 17:13:42 UTC
Permalink
Is there a simple way to configure a different sasl_mech_list for imap
and http?

I was allowing login, plain, cram-md5 and digest-md5 using sasldb, when
I noticed digest-md5 is not working at all for http.
But it works fine for imap.

I started noticing this when it turned out iOS CalDAV/CardDAV clients
could not authenticate.
iOS, once it sees digest-md5 offered, apparently will not fall back to
other mechs.
Other *dav clients appear to be less picky, especially over SSL.
But other *dav clients will start to fail too, if digest-md5 is the only
mech available.

Since I can't figure out what's wrong with my SASL setup, I'd like to
disable digest-md5 for http,
but leave it enabled for imap where it works fine.

I'm using cyrus imap 3.0.8 on Fedora.
Ken Murchison
2018-10-11 17:28:39 UTC
Permalink
Yes.  Each option in imapd.conf can be prefixed with a service name from
cyrus.conf.

So if your services are named 'imap' and 'http', use:

imap_sasl_mech_list

http_sasl_mech_list


Definitely don't rely on Digest for http.  Most implementations are
either broken or incompatible.  I should have never attempted to make
DIGEST-MD5 work for http.
Post by Pim Zandbergen
Is there a simple way to configure a different sasl_mech_list for imap
and http?
I was allowing login, plain, cram-md5 and digest-md5 using sasldb,
when I noticed digest-md5 is not working at all for http.
But it works fine for imap.
I started noticing this when it turned out iOS CalDAV/CardDAV clients
could not authenticate.
iOS, once it sees digest-md5 offered, apparently will not fall back to
other mechs.
Other *dav clients appear to be less picky, especially over SSL.
But other *dav clients will start to fail too, if digest-md5 is the
only mech available.
Since I can't figure out what's wrong with my SASL setup, I'd like to
disable digest-md5 for http,
but leave it enabled for imap where it works fine.
I'm using cyrus imap 3.0.8 on Fedora.
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
Pim Zandbergen
2018-10-11 17:50:46 UTC
Permalink
Right, I tried that, but used the wrong prefix ("dav" instead of  "http").

So I would probably need to define imaps_sasl_mech_list and
https_sasl_mech_list too.

Can I save one line by mixing prefixed  and non-prefixed options as a
default? Like

sasl_mech_list: login plain cram-md5 digest-md5
http_sasl_mech_list: login plain cram-md5
https_sasl_mech_list: login plain cram-md5

Thanks, also for not to have to worry about digest-md5 not working.
Yes. Each option in imapd.conf can be prefixed with a service name
from cyrus.conf.
imap_sasl_mech_list
http_sasl_mech_list
Definitely don't rely on Digest for http.  Most implementations are
either broken or incompatible.  I should have never attempted to make
DIGEST-MD5 work for http.
Post by Pim Zandbergen
Is there a simple way to configure a different sasl_mech_list for
imap and http?
I was allowing login, plain, cram-md5 and digest-md5 using sasldb,
when I noticed digest-md5 is not working at all for http.
But it works fine for imap.
I started noticing this when it turned out iOS CalDAV/CardDAV clients
could not authenticate.
iOS, once it sees digest-md5 offered, apparently will not fall back
to other mechs.
Other *dav clients appear to be less picky, especially over SSL.
But other *dav clients will start to fail too, if digest-md5 is the
only mech available.
Since I can't figure out what's wrong with my SASL setup, I'd like to
disable digest-md5 for http,
but leave it enabled for imap where it works fine.
I'm using cyrus imap 3.0.8 on Fedora.
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Loading...