Mailing List Archive: [Bug 411] cyrus_sasl authenticator sets wrong appname

[Bug 411] cyrus_sasl authenticator sets wrong appname

Nov 14, 2006, 5:49 AM

Post #1 of 4 (918 views)

------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

http://www.exim.org/bugzilla/show_bug.cgi?id=411

------- Comment #2 from jochen@schalanda.name 2006-11-14 13:49 -------
(In reply to comment #1)
> It might be that the correct resolution for this is to have the Spec explicitly
> mention in section 36 that the application name is set to "exim" -- it probably
> should be noted, so that people don't have to try "exim.conf", "Exim.conf" or
> other combinations or check the source to see which capitalisation is needed.

You are probably right. My point is, that I had to look up the application name
in the source code. I was misleaded by the option server_service for the
cyrus_sasl authenticator and the behaviour I remembered from another MTA
(Postfix). The best solution would be to mention the application name in the
specification.

--
Configure bugmail: http://www.exim.org/bugzilla/userprefs.cgi?tab=email

--
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 411] cyrus_sasl authenticator sets wrong appname [ In reply to ]

exim-dev at spodhuis

Nov 14, 2006, 4:49 AM

Post #2 of 4 (878 views)

Permalink

------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

http://www.exim.org/bugzilla/show_bug.cgi?id=411

------- Comment #1 from exim-dev@spodhuis.org 2006-11-14 12:49 -------
I strongly disagree.

There is an application name and a service name. Service name is used by SASL
so that things like GSSAPI can ensure that the right Kerberos service
credential is used (the first "smtp" in: smtp/smtp.spodhuis.org@SPODHUIS.ORG).

The application name is used for finding the optional config for SASL
initialisation. It is not the same as the service and should not be. Multiple
software products can implement a service and an administrator should be able
to configure them independently (either on different ports or trying them out
individually without having them stomp on each other).

If you have a need to change this then it needs to be a different Exim config.
Every piece of software I've seen has always hard-coded the appname, though.
It keeps things simple -- global SASL config for app "Foo" is in "Foo.conf" in
the sasl2 directory.

It would be good to know what problem you're trying to solve, that this is
necessary.

It might be that the correct resolution for this is to have the Spec explicitly
mention in section 36 that the application name is set to "exim" -- it probably
should be noted, so that people don't have to try "exim.conf", "Exim.conf" or
other combinations or check the source to see which capitalisation is needed.

--
Configure bugmail: http://www.exim.org/bugzilla/userprefs.cgi?tab=email

--
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 411] cyrus_sasl authenticator sets wrong appname [ In reply to ]

exim-dev at spodhuis

Nov 14, 2006, 9:39 AM

Post #3 of 4 (874 views)

Permalink

------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

http://www.exim.org/bugzilla/show_bug.cgi?id=411

exim-dev@spodhuis.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Component|SMTP Authentication |Documentation

------- Comment #3 from exim-dev@spodhuis.org 2006-11-14 17:39 -------
First an apology to the dev-list: I didn't notice that email copies of tickets
don't include the real name, only the email address. C'est moi, Phil Pennock.

Suggested text extra paragraph in section 36, before 36.1, covering another
related topic below; I don't off-hand remember when Exim does or does not
filter the environment so someone should sanity-check that part:

The application name provided by Exim is "exim", so various SASL options may be
set in "exim.conf" in your SASL directory. If using GSSAPI for Kerberos please
note that ecause of limitations in the GSSAPI interface, changing the server
keytab might need to be communicated down to the Kerberos layer independently.
The mechanism for doing so is dependent upon the Kerberos implementation. Eg,
for Heimdal the environment variable KRB5_KTNAME may be set to point to an
alternative keytab file. Exim will pass this variable through from its own
inherited environment when started as root or the Exim user. The keytab file
needs to be readable by the Exim user.

I believe that that should provide sufficient information for anyone wanting to
set it up. I have GSSAPI authentication working quite nicely with Exim;
mulberry is a client which supports it. Transparent ticket-based
authentication for email submission is nice. :-)

-Phil

--
Configure bugmail: http://www.exim.org/bugzilla/userprefs.cgi?tab=email

--
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 411] cyrus_sasl authenticator sets wrong appname [ In reply to ]

exim-dev at spodhuis

Nov 14, 2006, 9:41 AM

Post #4 of 4 (875 views)

Permalink

------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

http://www.exim.org/bugzilla/show_bug.cgi?id=411

------- Comment #4 from exim-dev@spodhuis.org 2006-11-14 17:41 -------
Aargh, I can't spell "because". I suck. Sorry.

--
Configure bugmail: http://www.exim.org/bugzilla/userprefs.cgi?tab=email

--
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##