Loading ...
Sorry, an error occurred while loading the content.
 

SASL authentication via dovecot?

Expand Messages
  • Marco Fioretti
    Greetings, the postfix sasl readme, http://www.postfix.org/SASL_README.htm ... In principle, I like the idea of doing without Cyrus, since I have to run an
    Message 1 of 16 , May 31, 2007
      Greetings,

      the postfix sasl readme, http://www.postfix.org/SASL_README.htm

      says:

      >The Cyrus SASL library is a lot of code. With this, Postfix becomes
      >as secure as other mail systems that use the Cyrus SASL library.
      >Dovecot provides an alternative that may be worth considering.

      In principle, I like the idea of doing without Cyrus, since I have
      to run an IMAP server anyway and had already chosen Dovecot.
      However, I would like to know what other list members think of this
      approach: is it as secure as Cyrus, are you using it but
      configured differently, is that page up to date...

      The page also says:

      >Support for the Dovecot version 1 SASL protocol is available in
      >Postfix 2.3 and later.

      If one only has a binary package of Postfix, how can he check if
      dovecot support was compiled in? (without finding the makefile and
      looking at it, that is)

      TIA,
      Marco
    • Benjamin Donnachie
      ... Cyrus-SASL is separate from Cyrus-IMAP. ... postconf -a Ben
      Message 2 of 16 , May 31, 2007
        Marco Fioretti wrote:
        > In principle, I like the idea of doing without Cyrus, since I have
        > to run an IMAP server anyway and had already chosen Dovecot.

        Cyrus-SASL is separate from Cyrus-IMAP.

        > If one only has a binary package of Postfix, how can he check if
        > dovecot support was compiled in? (without finding the makefile and
        > looking at it, that is)

        postconf -a

        Ben
      • Marco Fioretti
        ... Yes, I know. The sense of my question was Can I do without Cyrus-SASL, at least as far as email is concerned? ... sorry for this second question, I had
        Message 3 of 16 , May 31, 2007
          Benjamin wrote:

          > Cyrus-SASL is separate from Cyrus-IMAP.

          Yes, I know. The sense of my question was "Can I do without Cyrus-SASL,
          at least as far as email is concerned?"

          > > If one only has a binary package of Postfix, how can he check
          > >if dovecot support was compiled in? (without finding the makefile
          > >and looking at it, that is)
          >
          > postconf -a

          sorry for this second question, I had found the answer myself one second
          after posting, re-reading the postfix variables description... :-(

          Marco
        • Benjamin Donnachie
          ... Yes, if your postfix has been compiled with support for dovecot-SASL. Though, I seem to recall that postfix only supports Cyrus-SASL when acting as a
          Message 4 of 16 , May 31, 2007
            Marco Fioretti wrote:
            > Yes, I know. The sense of my question was "Can I do without Cyrus-SASL,
            > at least as far as email is concerned?"

            Yes, if your postfix has been compiled with support for dovecot-SASL.

            Though, I seem to recall that postfix only supports Cyrus-SASL when
            acting as a client. But that shouldn't affect you if you only wish to
            authenticate users, ie postfix acting as server.

            Take care,

            Ben
          • Miguel Angel Tormo
            ... I am using postfix 2.3 with dovecot sasl for authentication for almost 1 year now and never had an issue with it. It is very easy to set it up. In main.cf:
            Message 5 of 16 , May 31, 2007
              El Jueves, 31 de Mayo de 2007 a las 18:37, Marco Fioretti escribió:
              > Greetings,
              >
              > the postfix sasl readme, http://www.postfix.org/SASL_README.htm
              >
              > says:
              >
              > >The Cyrus SASL library is a lot of code. With this, Postfix becomes
              > >as secure as other mail systems that use the Cyrus SASL library.
              > >Dovecot provides an alternative that may be worth considering.
              >
              > In principle, I like the idea of doing without Cyrus, since I have
              > to run an IMAP server anyway and had already chosen Dovecot.
              > However, I would like to know what other list members think of this
              > approach: is it as secure as Cyrus, are you using it but
              > configured differently, is that page up to date...
              >
              > The page also says:
              >
              > >Support for the Dovecot version 1 SASL protocol is available in
              > >Postfix 2.3 and later.
              >
              > If one only has a binary package of Postfix, how can he check if
              > dovecot support was compiled in? (without finding the makefile and
              > looking at it, that is)
              >
              > TIA,
              > Marco
              >
              >

              I am using postfix 2.3 with dovecot sasl for authentication for almost 1 year now and never had an issue with it.
              It is very easy to set it up. In main.cf:
              smtpd_sasl_auth_enable = yes
              smtpd_sasl_type = dovecot
              # Can be an absolute path, or relative to $queue_directory
              smtpd_sasl_path = private/dovecotauth

              In dovecot.conf:

              auth default {
              mechanisms = plain login # and whatever
              .... some config ...

              socket listen {
              client {
              path = /var/spool/postfix/private/dovecotauth
              mode = 0660
              user = postfix
              group = postfix
              }
              }
              }
            • M. Fioretti
              On Thu, May 31, 2007 18:58:01 PM +0100, Benjamin Donnachie ... Whell, I have a VPS where Postfix is the SMTP server and I want it to authenticate users
              Message 6 of 16 , May 31, 2007
                On Thu, May 31, 2007 18:58:01 PM +0100, Benjamin Donnachie
                (benjamin@...) wrote:

                > Marco Fioretti wrote:
                >
                > Though, I seem to recall that postfix only supports Cyrus-SASL when
                > acting as a client. But that shouldn't affect you if you only wish
                > to authenticate users, ie postfix acting as server.

                Whell, I have a VPS where Postfix is the SMTP server and I want it to
                authenticate users (including me from home) which want to relay email
                through it. So the only issue on the VPS is if the postfix version
                isn't recent enough.

                What about my home box? I run postfix here too, with

                relayhost=my.remote.vps

                how should I configure this local postfix to authenticate? More
                exactly: does it matter to the _local_ postfix if the one on the VPS
                uses dovecot for authentication? If I understand correctly, it
                shouldn't, but I'd appreciate a confirmation that this is the case and
                that I'm not missing something.

                Thanks,
                Marco
              • Benjamin Donnachie
                ... Should be okay with Dovecot-SASL - what output do you get from postconf -a ? ... See http://www.postfix.org/SASL_README.html#client_sasl ... I ve only used
                Message 7 of 16 , Jun 1, 2007
                  M. Fioretti wrote:
                  > Whell, I have a VPS where Postfix is the SMTP server and I want it to
                  > authenticate users (including me from home) which want to relay email
                  > through it. So the only issue on the VPS is if the postfix version
                  > isn't recent enough.

                  Should be okay with Dovecot-SASL - what output do you get from postconf -a ?

                  > What about my home box? I run postfix here too, with
                  > relayhost=my.remote.vps
                  > how should I configure this local postfix to authenticate?

                  See http://www.postfix.org/SASL_README.html#client_sasl

                  > More exactly: does it matter to the _local_ postfix if the one on the VPS
                  > uses dovecot for authentication? If I understand correctly, it
                  > shouldn't, but I'd appreciate a confirmation that this is the case and
                  > that I'm not missing something.

                  I've only used Cyrus-SASL, as I use Cyrus-IMAP, but it shouldn't matter.

                  Ben
                • M. Fioretti
                  On Fri, Jun 01, 2007 13:03:34 PM +0100, Benjamin Donnachie ... none right now, since it doesn t run postfix 2.3 yet, I ll have to upgrade. ... OK, that s clear
                  Message 8 of 16 , Jun 2, 2007
                    On Fri, Jun 01, 2007 13:03:34 PM +0100, Benjamin Donnachie
                    (benjamin@...) wrote:

                    > M. Fioretti wrote:
                    > > Whell, I have a VPS where Postfix is the SMTP server and I want it to
                    > > authenticate users (including me from home) which want to relay email
                    > > through it. So the only issue on the VPS is if the postfix version
                    > > isn't recent enough.
                    >
                    > Should be okay with Dovecot-SASL - what output do you get from postconf -a ?

                    none right now, since it doesn't run postfix 2.3 yet, I'll have to
                    upgrade.

                    > > What about my home box? I run postfix here too, with
                    > See http://www.postfix.org/SASL_README.html#client_sasl

                    OK, that's clear now, thanks again.

                    Marco
                  • M. Fioretti
                    greetings, this is related to the authentication with dovecot question I posted earlier. Are SASL or Dovecot really needed to authenticate just a *few*
                    Message 9 of 16 , Jun 2, 2007
                      greetings,

                      this is related to the "authentication with dovecot" question I posted
                      earlier. Are SASL or Dovecot really needed to authenticate just a
                      *few* postfix users, or there are solutions which are simpler but
                      equally safe?

                      Thanks,
                      Marco
                    • Benjamin Donnachie
                      ... My understanding is that SASL is the only way. This link should explain some of the theory - http://postfix.state-of-mind.de/patrick.koetter/smtpauth/
                      Message 10 of 16 , Jun 2, 2007
                        M. Fioretti wrote:
                        > this is related to the "authentication with dovecot" question I posted
                        > earlier. Are SASL or Dovecot really needed to authenticate just a
                        > *few* postfix users, or there are solutions which are simpler but
                        > equally safe?

                        My understanding is that SASL is the only way. This link should explain
                        some of the theory -
                        http://postfix.state-of-mind.de/patrick.koetter/smtpauth/

                        Your SASL install can be as simple or complicated as you want/need. At
                        the basic end, it can authenticate using its own database, at the other
                        end it can perform complicated lookups using ldap databases...

                        Ben
                      • M. Fioretti
                        On Sat, Jun 02, 2007 11:51:06 AM +0100, Benjamin Donnachie ... OK, then SASL or Dovecot it is, then, thanks. I had read that page, but had the impression
                        Message 11 of 16 , Jun 2, 2007
                          On Sat, Jun 02, 2007 11:51:06 AM +0100, Benjamin Donnachie
                          (benjamin@...) wrote:

                          > M. Fioretti wrote:
                          > > this is related to the "authentication with dovecot" question I posted
                          > > earlier. Are SASL or Dovecot really needed to authenticate just a
                          > > *few* postfix users, or there are solutions which are simpler but
                          > > equally safe?
                          >
                          > My understanding is that SASL is the only way. This link should explain
                          > some of the theory -
                          > http://postfix.state-of-mind.de/patrick.koetter/smtpauth/

                          OK, then SASL or Dovecot it is, then, thanks. I had read that page,
                          but had the impression (maybe because I _wanted_ to believe so :-) )
                          that there may be other ways.

                          Probably what made me think/hope so is the fact that when PostFix acts
                          as a client, says in your home linux box relaying everything to your
                          ISP server, it doesn't need external libraries/servers.

                          At least what I understand from
                          http://www.postfix.org/SASL_README.html#client_sasl

                          is that when postfix is a client it only has to have something like

                          smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
                          smtp_sasl_type = cyrus

                          /etc/postfix/sasl_passwd:
                          [mail.myisp.net] username:password

                          but you must not go through all the SASL *configuration* described in
                          the previous parts of the guide. Is this correct?

                          If it is, my hope was that one could simplify configuration and
                          maintenance of a _server_ in the same way, that is with simple
                          configuration files.

                          Ciao,
                          Marco
                        • mouss
                          ... you mean cyrus-sasl or dovecot-sasl.... cyrus-sasl is just one implementation of SASL. ... it still uses cyrus-sasl in this example. ... you need to setup
                          Message 12 of 16 , Jun 2, 2007
                            M. Fioretti wrote:
                            > OK, then SASL or Dovecot it is, then, thanks.


                            you mean cyrus-sasl or dovecot-sasl....

                            cyrus-sasl is just one implementation of SASL.

                            > I had read that page,
                            > but had the impression (maybe because I _wanted_ to believe so :-) )
                            > that there may be other ways.
                            >
                            > Probably what made me think/hope so is the fact that when PostFix acts
                            > as a client, says in your home linux box relaying everything to your
                            > ISP server, it doesn't need external libraries/servers.
                            >
                            > At least what I understand from
                            > http://www.postfix.org/SASL_README.html#client_sasl
                            >
                            > is that when postfix is a client it only has to have something like
                            >
                            > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
                            > smtp_sasl_type = cyrus
                            >
                            > /etc/postfix/sasl_passwd:
                            > [mail.myisp.net] username:password
                            >
                            >

                            it still uses cyrus-sasl in this example.
                            > but you must not go through all the SASL *configuration* described in
                            > the previous parts of the guide. Is this correct?
                            >

                            you need to setup cryus-sasl or dovecot-sasl in both cases. but the
                            configuration differs. in the client case, you need to tell postfix
                            where the sasl_passwd's are. in the server case, postfix doesn't care,
                            and you need to configure the sasl implementation to verify authentication.
                            > If it is, my hope was that one could simplify configuration and
                            > maintenance of a _server_ in the same way, that is with simple
                            > configuration files.
                            >

                            running a few daemons should not be an issue. divide and conquer...
                          • Benjamin Donnachie
                            ... I m fairly certain that postfix needs Cyrus-SASL when acting as a client and that Dovecot-SASL is not supported. ... I haven t used client side SASL with
                            Message 13 of 16 , Jun 2, 2007
                              M. Fioretti wrote:
                              > is that when postfix is a client it only has to have something like
                              >
                              > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
                              > smtp_sasl_type = cyrus

                              I'm fairly certain that postfix needs Cyrus-SASL when acting as a client
                              and that Dovecot-SASL is not supported.

                              > but you must not go through all the SASL *configuration* described in
                              > the previous parts of the guide. Is this correct?

                              I haven't used client side SASL with postfix so I can't really help
                              here. I think it'll be a case of "suck it and see".

                              Take care,

                              Ben
                            • Joshua J. Kugler
                              ... http://www.postfix.org/SASL_README.html#server_dovecot 2.3 and later only. -- Joshua Kugler Lead System Admin -- Senior Programmer
                              Message 14 of 16 , Jun 4, 2007
                                On Saturday 02 June 2007 06:53, Benjamin Donnachie wrote:
                                > I'm fairly certain that postfix needs Cyrus-SASL when acting as a client
                                > and that Dovecot-SASL is not supported.

                                http://www.postfix.org/SASL_README.html#server_dovecot

                                2.3 and later only.


                                --
                                Joshua Kugler
                                Lead System Admin -- Senior Programmer
                                http://www.eeinternet.com
                                PGP Key: http://pgp.mit.edu/ ID 0xDB26D7CE
                                PO Box 80086 -- Fairbanks, AK 99708 -- Ph: 907-456-5581 Fax: 907-456-3111
                              • Tom Allison
                                ... Wouldn t it be practical to have a auth_dbd module? SASL is just big and chubby...
                                Message 15 of 16 , Jun 10, 2007
                                  Benjamin Donnachie wrote:
                                  > M. Fioretti wrote:
                                  >> is that when postfix is a client it only has to have something like
                                  >>
                                  >> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
                                  >> smtp_sasl_type = cyrus
                                  >
                                  > I'm fairly certain that postfix needs Cyrus-SASL when acting as a client
                                  > and that Dovecot-SASL is not supported.
                                  >
                                  >> but you must not go through all the SASL *configuration* described in
                                  >> the previous parts of the guide. Is this correct?
                                  >
                                  > I haven't used client side SASL with postfix so I can't really help
                                  > here. I think it'll be a case of "suck it and see".
                                  >
                                  > Take care,
                                  >
                                  > Ben


                                  Wouldn't it be practical to have a auth_dbd module?
                                  SASL is just big and chubby...
                                • Noel Jones
                                  ... Yes, it would be nice to have a simple SASL client module for postfix, but someone will have to contribute a design and code. Although many distributions
                                  Message 16 of 16 , Jun 10, 2007
                                    At 10:34 AM 6/10/2007, Tom Allison wrote:
                                    >>I haven't used client side SASL with postfix so I can't really help
                                    >>here. I think it'll be a case of "suck it and see".
                                    >>Take care,
                                    >>Ben
                                    >
                                    >
                                    >Wouldn't it be practical to have a auth_dbd module?
                                    >SASL is just big and chubby...

                                    Yes, it would be nice to have a simple SASL client module for
                                    postfix, but someone will have to contribute a design and
                                    code. Although many distributions provide fairly simple tools for
                                    integrating cyrus-sasl, it would be nice to remove that dependency
                                    and all that extra code linked into postfix.

                                    Dovecot provides a very simple server interface - with nothing at all
                                    linked into postfix - but dovecot itself doesn't have a client mode.

                                    --
                                    Noel Jones
                                  Your message has been successfully submitted and would be delivered to recipients shortly.