Cyrus SASL

Welcome to Cyrus SASL.

What is Cyrus SASL?

Simple Authentication and Security Layer (SASL) is a specification that describes how authentication mechanisms can be plugged into an application protocol on the wire. Cyrus SASL is an implementation of SASL that makes it easy for application developers to integrate authentication mechanisms into their application in a generic way.

The latest stable version of Cyrus SASL is 2.1.28.

Cyrus IMAP uses Cyrus SASL to provide authentication support to the mail server, however it is just one project using Cyrus SASL.


Cyrus SASL provides a number of authentication plugins out of the box.

LMDB, GDBM, or NDBM (sasldb), PAM, MySQL, PostgreSQL, SQLite, LDAP, Active Directory (LDAP), DCE, Kerberos 5, proxied IMAP auth, getpwent, shadow, SIA, Courier Authdaemon, httpform, APOP and SASL mechanisms: ANONYMOUS, EXTERNAL, GSSAPI, OTP, PASSDSS, PLAIN, SCRAM, SRP

This document is an introduction to Cyrus SASL. It is not intended to be an exhaustive reference for the SASL Application Programming Interface (API), which is detailed in the SASL manual pages, and the libsasl.h header file.

Known Bugs

libtool doesn’t always link libraries together. In our environment, we only have static Krb5 libraries; the GSSAPI plugin should link these libraries in on platforms that support it (Solaris and Linux among them) but it does not. It also doesn’t always get the runpath of libraries correct.

Cyrus SASL