As of Cyrus-SASL-2.x SASL is able to limit the mechanisms it will offer when an application e.g. Postfix uses it. This is done by setting the parameter mech_list in /usr/lib/sasl2/smtpd.conf.
pwcheck_method: saslauthdmech_list: plain login
| | This works also with auxprop. |
 | Postfix will only offer PLAIN and LOGIN. |
You can check this by telnetting to your Postfix server:
Example 2. Telnet to Postfix server to test for SASL mechanisms it offers
[root@hosting root]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.state-of-mind.de ESMTP Postfix (1.1.11-20021106) NO UCE EHLO client.example.com 250-mail.state-of-mind.de 250-PIPELINING 250-SIZE 20480000 250-ETRN 250-AUTH PLAIN LOGIN
| | With the configuration for smtpd.conf as mentioned above, Postfix will only announce the mechanisms set with the parameter mech_list. |
![[Important]](images/important.png) | Important |
|---|---|
This parameter is not available to Cyrus-SASL-1.5.x users. If you want to limit the mechanisms you must remove the corresponding libraries from your /usr/lib/sasl directory, which is a bad idea™ if other applications using SASL rely on exactly those libraries you remove. | |