The CRAM-MD5 and DIGEST-MD5 SASL Authentication Mechanisms

These two credential exchange mechanisms depend on the tip of the iceberg being a shared secret, that both parties have available to them in plaintext, prior to the actual exchange of credentials.

Starting at such tip, the mechanisms basically describe a methodology for the server and the client to each end up with an iceberg of the same dimensions, so that it can be compared, and matched.

The principle of storing a shared secret at any one location – let alone at multiple individual, stand-alone locations – that also harbors the attack surface of a service is a virtual no-go. Storing the shared secret in plaintext is one type of offence, and storing the shared secret in a reverse-cryptable fashion is another type of offence.

However, some networks may have, in the past, some long time ago, consciously or otherwise, decided that running a PKI was just slightly too inconvenient, and perhaps unprotected traffic would therefore need not exchange any user’s credentials in humanly legible form. Enter secrecy for the wire, but obscurity for the client and the server both.

Important

It MUST be very clear by now, such CAN NOT sustain an environment with the continued support of Kolab.

If it is not yet all that clear though, please feel free to contact your friendly consultant at Kolab Systems AG.

To migrate such environments, one might enable CRAM-MD5 and/or DIGEST-MD5 authentication credential exchange mechanisms. The assumption is that either you use /etc/sasldb2 and have the means to synchronize password changes over however many systems, or that you already use a plugin allowing you to centralize the storage so it can be reached by multiple systems, over the network. Re-apply whichever logic to your Kolab servers, and you should be fine and live happily ever after – you get rid of plain text copies of users’ passwords on your servers.

1. In /etc/imapd.conf, ensure the following is set:

   sasl_pwcheck_method: auxprop saslauthd
   

2. Add to /etc/imapd.conf, if it doesn’t already exist:

   sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
   

3. Ensure (albeit contrary to the aforementioned advice) you have the cyrus-sasl-md5 package installed:

   # yum -y install cyrus-sasl-md5

4. Entertain Postfix with a similar set of configuration items in /etc/sasl2/smtpd.conf:

   pwcheck_method: auxprop saslauthd
   auxprop_plugin: sasldb
   mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
   

5. Restart services as you deem appropriate.

Now you can test the functionality as follows:

$ imtest -t "" -u cyrus-admin -a cyrus-admin -w LDAP_PASSWORD

Add this user with a different password, to the local sasldb:

$ saslpasswd2 -c cyrus-admin

And run again:

$ imtest -t "" -u cyrus-admin -a cyrus-admin -w LDAP_PASSWORD

Also run:

$ imtest -t "" -m CRAM-MD5 -u cyrus-admin -a cyrus-admin -w SASLDB_PASSWORD