13. Limiting SASL mechanisms

As of Cyrus-SASL-2.x SASL is able to limit the mechanisms it will offer when an application e.g. Postfix uses it. This is done by setting the parameter mech_list in /usr/lib/sasl2/smtpd.conf.

pwcheck_method: saslauthd 1
mech_list: plain login 2
1

This works also with auxprop.

2

Postfix will only offer PLAIN and LOGIN.

You can check this by telnetting to your Postfix server:

Example 2. Telnet to Postfix server to test for SASL mechanisms it offers

[root@hosting root]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.state-of-mind.de ESMTP Postfix (1.1.11-20021106) NO UCE
EHLO client.example.com
250-mail.state-of-mind.de
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-AUTH PLAIN LOGIN 1
250-AUTH=PLAIN LOGIN
250-XVERP
250 8BITMIME
QUIT
221 Bye
Connection closed by foreign host.
1

With the configuration for smtpd.conf as mentioned above, Postfix will only announce the mechanisms set with the parameter mech_list.

[Important]Important

This parameter is not available to Cyrus-SASL-1.5.x users. If you want to limit the mechanisms you must remove the corresponding libraries from your /usr/lib/sasl directory, which is a bad idea™ if other applications using SASL rely on exactly those libraries you remove.