Loading ...
Sorry, an error occurred while loading the content.

Re: SASL authentication via dovecot?

Expand Messages
  • Benjamin Donnachie
    ... Should be okay with Dovecot-SASL - what output do you get from postconf -a ? ... See http://www.postfix.org/SASL_README.html#client_sasl ... I ve only used
    Message 1 of 16 , Jun 1, 2007
    • 0 Attachment
      M. Fioretti wrote:
      > Whell, I have a VPS where Postfix is the SMTP server and I want it to
      > authenticate users (including me from home) which want to relay email
      > through it. So the only issue on the VPS is if the postfix version
      > isn't recent enough.

      Should be okay with Dovecot-SASL - what output do you get from postconf -a ?

      > What about my home box? I run postfix here too, with
      > relayhost=my.remote.vps
      > how should I configure this local postfix to authenticate?

      See http://www.postfix.org/SASL_README.html#client_sasl

      > More exactly: does it matter to the _local_ postfix if the one on the VPS
      > uses dovecot for authentication? If I understand correctly, it
      > shouldn't, but I'd appreciate a confirmation that this is the case and
      > that I'm not missing something.

      I've only used Cyrus-SASL, as I use Cyrus-IMAP, but it shouldn't matter.

      Ben
    • M. Fioretti
      On Fri, Jun 01, 2007 13:03:34 PM +0100, Benjamin Donnachie ... none right now, since it doesn t run postfix 2.3 yet, I ll have to upgrade. ... OK, that s clear
      Message 2 of 16 , Jun 2, 2007
      • 0 Attachment
        On Fri, Jun 01, 2007 13:03:34 PM +0100, Benjamin Donnachie
        (benjamin@...) wrote:

        > M. Fioretti wrote:
        > > Whell, I have a VPS where Postfix is the SMTP server and I want it to
        > > authenticate users (including me from home) which want to relay email
        > > through it. So the only issue on the VPS is if the postfix version
        > > isn't recent enough.
        >
        > Should be okay with Dovecot-SASL - what output do you get from postconf -a ?

        none right now, since it doesn't run postfix 2.3 yet, I'll have to
        upgrade.

        > > What about my home box? I run postfix here too, with
        > See http://www.postfix.org/SASL_README.html#client_sasl

        OK, that's clear now, thanks again.

        Marco
      • M. Fioretti
        greetings, this is related to the authentication with dovecot question I posted earlier. Are SASL or Dovecot really needed to authenticate just a *few*
        Message 3 of 16 , Jun 2, 2007
        • 0 Attachment
          greetings,

          this is related to the "authentication with dovecot" question I posted
          earlier. Are SASL or Dovecot really needed to authenticate just a
          *few* postfix users, or there are solutions which are simpler but
          equally safe?

          Thanks,
          Marco
        • Benjamin Donnachie
          ... My understanding is that SASL is the only way. This link should explain some of the theory - http://postfix.state-of-mind.de/patrick.koetter/smtpauth/
          Message 4 of 16 , Jun 2, 2007
          • 0 Attachment
            M. Fioretti wrote:
            > this is related to the "authentication with dovecot" question I posted
            > earlier. Are SASL or Dovecot really needed to authenticate just a
            > *few* postfix users, or there are solutions which are simpler but
            > equally safe?

            My understanding is that SASL is the only way. This link should explain
            some of the theory -
            http://postfix.state-of-mind.de/patrick.koetter/smtpauth/

            Your SASL install can be as simple or complicated as you want/need. At
            the basic end, it can authenticate using its own database, at the other
            end it can perform complicated lookups using ldap databases...

            Ben
          • M. Fioretti
            On Sat, Jun 02, 2007 11:51:06 AM +0100, Benjamin Donnachie ... OK, then SASL or Dovecot it is, then, thanks. I had read that page, but had the impression
            Message 5 of 16 , Jun 2, 2007
            • 0 Attachment
              On Sat, Jun 02, 2007 11:51:06 AM +0100, Benjamin Donnachie
              (benjamin@...) wrote:

              > M. Fioretti wrote:
              > > this is related to the "authentication with dovecot" question I posted
              > > earlier. Are SASL or Dovecot really needed to authenticate just a
              > > *few* postfix users, or there are solutions which are simpler but
              > > equally safe?
              >
              > My understanding is that SASL is the only way. This link should explain
              > some of the theory -
              > http://postfix.state-of-mind.de/patrick.koetter/smtpauth/

              OK, then SASL or Dovecot it is, then, thanks. I had read that page,
              but had the impression (maybe because I _wanted_ to believe so :-) )
              that there may be other ways.

              Probably what made me think/hope so is the fact that when PostFix acts
              as a client, says in your home linux box relaying everything to your
              ISP server, it doesn't need external libraries/servers.

              At least what I understand from
              http://www.postfix.org/SASL_README.html#client_sasl

              is that when postfix is a client it only has to have something like

              smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
              smtp_sasl_type = cyrus

              /etc/postfix/sasl_passwd:
              [mail.myisp.net] username:password

              but you must not go through all the SASL *configuration* described in
              the previous parts of the guide. Is this correct?

              If it is, my hope was that one could simplify configuration and
              maintenance of a _server_ in the same way, that is with simple
              configuration files.

              Ciao,
              Marco
            • mouss
              ... you mean cyrus-sasl or dovecot-sasl.... cyrus-sasl is just one implementation of SASL. ... it still uses cyrus-sasl in this example. ... you need to setup
              Message 6 of 16 , Jun 2, 2007
              • 0 Attachment
                M. Fioretti wrote:
                > OK, then SASL or Dovecot it is, then, thanks.


                you mean cyrus-sasl or dovecot-sasl....

                cyrus-sasl is just one implementation of SASL.

                > I had read that page,
                > but had the impression (maybe because I _wanted_ to believe so :-) )
                > that there may be other ways.
                >
                > Probably what made me think/hope so is the fact that when PostFix acts
                > as a client, says in your home linux box relaying everything to your
                > ISP server, it doesn't need external libraries/servers.
                >
                > At least what I understand from
                > http://www.postfix.org/SASL_README.html#client_sasl
                >
                > is that when postfix is a client it only has to have something like
                >
                > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
                > smtp_sasl_type = cyrus
                >
                > /etc/postfix/sasl_passwd:
                > [mail.myisp.net] username:password
                >
                >

                it still uses cyrus-sasl in this example.
                > but you must not go through all the SASL *configuration* described in
                > the previous parts of the guide. Is this correct?
                >

                you need to setup cryus-sasl or dovecot-sasl in both cases. but the
                configuration differs. in the client case, you need to tell postfix
                where the sasl_passwd's are. in the server case, postfix doesn't care,
                and you need to configure the sasl implementation to verify authentication.
                > If it is, my hope was that one could simplify configuration and
                > maintenance of a _server_ in the same way, that is with simple
                > configuration files.
                >

                running a few daemons should not be an issue. divide and conquer...
              • Benjamin Donnachie
                ... I m fairly certain that postfix needs Cyrus-SASL when acting as a client and that Dovecot-SASL is not supported. ... I haven t used client side SASL with
                Message 7 of 16 , Jun 2, 2007
                • 0 Attachment
                  M. Fioretti wrote:
                  > is that when postfix is a client it only has to have something like
                  >
                  > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
                  > smtp_sasl_type = cyrus

                  I'm fairly certain that postfix needs Cyrus-SASL when acting as a client
                  and that Dovecot-SASL is not supported.

                  > but you must not go through all the SASL *configuration* described in
                  > the previous parts of the guide. Is this correct?

                  I haven't used client side SASL with postfix so I can't really help
                  here. I think it'll be a case of "suck it and see".

                  Take care,

                  Ben
                • Joshua J. Kugler
                  ... http://www.postfix.org/SASL_README.html#server_dovecot 2.3 and later only. -- Joshua Kugler Lead System Admin -- Senior Programmer
                  Message 8 of 16 , Jun 4, 2007
                  • 0 Attachment
                    On Saturday 02 June 2007 06:53, Benjamin Donnachie wrote:
                    > I'm fairly certain that postfix needs Cyrus-SASL when acting as a client
                    > and that Dovecot-SASL is not supported.

                    http://www.postfix.org/SASL_README.html#server_dovecot

                    2.3 and later only.


                    --
                    Joshua Kugler
                    Lead System Admin -- Senior Programmer
                    http://www.eeinternet.com
                    PGP Key: http://pgp.mit.edu/ ID 0xDB26D7CE
                    PO Box 80086 -- Fairbanks, AK 99708 -- Ph: 907-456-5581 Fax: 907-456-3111
                  • Tom Allison
                    ... Wouldn t it be practical to have a auth_dbd module? SASL is just big and chubby...
                    Message 9 of 16 , Jun 10, 2007
                    • 0 Attachment
                      Benjamin Donnachie wrote:
                      > M. Fioretti wrote:
                      >> is that when postfix is a client it only has to have something like
                      >>
                      >> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
                      >> smtp_sasl_type = cyrus
                      >
                      > I'm fairly certain that postfix needs Cyrus-SASL when acting as a client
                      > and that Dovecot-SASL is not supported.
                      >
                      >> but you must not go through all the SASL *configuration* described in
                      >> the previous parts of the guide. Is this correct?
                      >
                      > I haven't used client side SASL with postfix so I can't really help
                      > here. I think it'll be a case of "suck it and see".
                      >
                      > Take care,
                      >
                      > Ben


                      Wouldn't it be practical to have a auth_dbd module?
                      SASL is just big and chubby...
                    • Noel Jones
                      ... Yes, it would be nice to have a simple SASL client module for postfix, but someone will have to contribute a design and code. Although many distributions
                      Message 10 of 16 , Jun 10, 2007
                      • 0 Attachment
                        At 10:34 AM 6/10/2007, Tom Allison wrote:
                        >>I haven't used client side SASL with postfix so I can't really help
                        >>here. I think it'll be a case of "suck it and see".
                        >>Take care,
                        >>Ben
                        >
                        >
                        >Wouldn't it be practical to have a auth_dbd module?
                        >SASL is just big and chubby...

                        Yes, it would be nice to have a simple SASL client module for
                        postfix, but someone will have to contribute a design and
                        code. Although many distributions provide fairly simple tools for
                        integrating cyrus-sasl, it would be nice to remove that dependency
                        and all that extra code linked into postfix.

                        Dovecot provides a very simple server interface - with nothing at all
                        linked into postfix - but dovecot itself doesn't have a client mode.

                        --
                        Noel Jones
                      Your message has been successfully submitted and would be delivered to recipients shortly.