0

What does saslpasswd2 do, in particular, what is the domain option for:

-u domain
    use domain for user domain (realm).

UPDATE: Suppose, I:

  • smtp login to smtp.mydomain.com,
  • as myself@myotherdomain.com (with password1)
  • and want to send and email From: support@mypubliccompany.com,
  • which should be relayed to Google's SMTP server: smtp.gmail.com
  • logging in as (myself@myaccount.com with some other password2),

which of these 5 domains is a domain that is sasl's concern? In fact, why does sasl care about domains at all and not just password strings and username strings (which may include domains)?

user14645
  • 1,590
  • 2
  • 13
  • 17

1 Answers1

3

Some documentation is more verbose [1]:

-u domain (default: system FQDN hostname)
    Use domain to set user domain property (realm).

SASL can be used for authenticating users with different realms (domains, FQDN, servers ...). You can think of it as an email address, which consist of user and domain.

This is required to cover some authentication methods (ex. Kerberos) that require realm information to operate. More about SASL [2]

[1] https://sys4.de/en/blog/2015/01/07/cyrus-sasl-saslpasswd2-man-page/

[2] https://www.ietf.org/rfc/rfc4422.txt

Jakuje
  • 9,715
  • 2
  • 42
  • 45
  • Thanks -- have updated the question. So, its sound like sasl is responisble for validating email domains. Is it at all related to the SMTP server login? – user14645 Jun 27 '15 at 21:28
  • @user14645 Sorry, I missed your comment. As I note in the answer, it depends on authentication method. For some methods it is enough to use just username and password, or the domain name can be part of username. In your example, you are logging probably without domain at all so you should not need to worry about this. – Jakuje Jul 06 '15 at 12:18
  • So is the purpose of specifying the domain to saslpasswd simply to allow the username to include or not include a domain, or is it somehow related to checking certificates of the domain against a trusted source (e.g. as SSL). – user14645 Jul 07 '15 at 15:51
  • Basically yes. Some authentication backends support or require the domain (as above mentioned Kerberos, where is it usually called principal) and some doesn't, but there must be way of to specify it. Kerberos is great way of handling single-sign-on in company environment. – Jakuje Jul 07 '15 at 18:11