Loading ...
Sorry, an error occurred while loading the content.
 

Re: SASL question

Expand Messages
  • Reindl Harald
    ... i am using dovecot as proxy in front of dbmail since 2009 and for sasl auth because this way you have ecryption, CRAM-MD5 and so on for IMAP as also the
    Message 1 of 17 , Feb 10, 2013
      Am 10.02.2013 23:59, schrieb Curtis Maurand:
      > My currwnt setup has the imap connecting to a remote server on a private
      > network. The imap server is dbmail 2.2.17.
      >
      > Postfix is a member of the sasl group. There is an sasldb2 file just in
      > case.

      i am using dovecot as proxy in front of dbmail
      since 2009 and for sasl auth because this way
      you have ecryption, CRAM-MD5 and so on for
      IMAP as also the same SASL auth mechs for SMTP
      if postfix is using dovecot for SASL

      the sql-config below is for a localhost where dbmail-imapd
      is listening on 127.0.0.1:20143 and dovecot on 0.0.0.0:143
      ________________________________

      relevant snippets from dovecot.conf

      # configure proxy-database
      passdb {
      driver = sql
      args = /etc/dovecot/sql.conf
      }

      # we are not using local users
      userdb {
      driver = static
      args = static uid=15000 gid=15000 home=/dev/null
      }

      # configure backend for postfix sasl-auth
      service auth {
      unix_listener /var/spool/postfix/private/auth {
      mode = 0660
      user = postfix
      group = postfix
      }
      }
      ________________________________

      [root@srv-rhsoft:~]$ cat /etc/dovecot/sql.conf
      driver = mysql
      connect = host=mysqlhost dbname=dbmail user=dbmail password=************
      password_query = SELECT passwd as password, '127.0.0.1' as host, '20143' as port, userid as destuser, passwd
      AS pass, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM dbmail_users WHERE userid='%u'
      default_pass_scheme = plain
    • Simon Walter
      ... Don t you mean ...the whole *Cyrus* SASL crap ? Isn t smtpd_sasl_type = dovecot using the dovecot implementation of SASL? Simon -- htholidays.com
      Message 2 of 17 , Feb 10, 2013
        On 02/11/2013 05:46 AM, Reindl Harald wrote:
        >
        >
        > what are you using for IMAP?
        > if dovecot throw away the whole SASL crap!
        >
        >


        Don't you mean "...the whole *Cyrus* SASL crap"? Isn't "smtpd_sasl_type
        = dovecot" using the dovecot implementation of SASL?

        Simon

        --
        htholidays.com
      • Reindl Harald
        ... ok, i word it the whole manually configured SASL crap usually you need authentication for SMTP/POP3/IMAP and so preferred is a single instance and the
        Message 3 of 17 , Feb 11, 2013
          Am 11.02.2013 04:53, schrieb Simon Walter:
          > On 02/11/2013 05:46 AM, Reindl Harald wrote:
          >>
          >> what are you using for IMAP?
          >> if dovecot throw away the whole SASL crap!
          >>
          > Don't you mean "...the whole *Cyrus* SASL crap"? Isn't "smtpd_sasl_type = dovecot" using the dovecot implementation
          > of SASL?

          ok, i word it "the whole manually configured SASL crap"

          usually you need authentication for SMTP/POP3/IMAP and so
          preferred is a single instance and the same aut-mechs on
          all services
        • Bob Proulx
          ... I am not sure it is your desire to use the sasldb2 file. But if it is then on Debian it needs to be made available in the chroot which on Debian is
          Message 4 of 17 , Feb 13, 2013
            Curtis Maurand wrote:
            > Patrick Ben Koetter wrote:
            > >> However, nothing in my configuration says to open the sasldb file
            > >> anywhere as the auth machanism is set to imap, but postfix seems
            > >> intent on opening this file anyway.
            > >
            > > Cyrus SASL opens sasldb as fallback when all other attempts to do
            > > AUTH have failed. That in turn says your current setup is
            > > non-functional. Which docs did you follow? What's your current
            > > setup?
            >
            > My currwnt setup has the imap connecting to a remote server on a private
            > network. The imap server is dbmail 2.2.17.
            >
            > Postfix is a member of the sasl group. There is an sasldb2 file
            > just in case.

            I am not sure it is your desire to use the sasldb2 file. But if it is
            then on Debian it needs to be made available in the chroot which on
            Debian is usually located at /var/spool/postfix/etc. For me it meant
            the easiest thing to do was to modify the /etc/init.d/postfix script
            to make sure it was copied into the chroot when it was started.

            I added etc/sasldb2 to this next section.

            FILES="etc/sasldb2 etc/localtime etc/services etc/resolv.conf etc/hosts \
            etc/nsswitch.conf etc/nss_mdns.config"
            for file in $FILES; do
            [ -d ${file%/*} ] || mkdir -p ${file%/*}
            if [ -f /${file} ]; then rm -f ${file} && cp -p /${file} ${file}; fi
            # if [ -f ${file} ]; then chmod a+rX ${file}; fi
            done

            And I also removed that line that is commented out so that the
            original permissions are preserved. That causes permissions to be
            preserved from the /etc file into the chroot area when the file is
            copied into it. Otherwise the file would be available to everyone.
            Using the original permissions on all of the files is okay.

            Again, that is only if you are intending to use the sasldb2 file. It
            is a nice simple fallback. But most schemes use other access control
            methods.

            Bob
          • Curtis Maurand
            ... Thanks for all your help everyone. I actually found the answer in an email from about a year ago. Thank you to google. Apparently saslauthd on Ubuntu
            Message 5 of 17 , Feb 18, 2013
              On 2/13/2013 7:35 PM, Bob Proulx wrote:
              > Curtis Maurand wrote:
              >> Patrick Ben Koetter wrote:
              >>>> However, nothing in my configuration says to open the sasldb file
              >>>> anywhere as the auth machanism is set to imap, but postfix seems
              >>>> intent on opening this file anyway.
              >>> Cyrus SASL opens sasldb as fallback when all other attempts to do
              >>> AUTH have failed. That in turn says your current setup is
              >>> non-functional. Which docs did you follow? What's your current
              >>> setup?
              >> My currwnt setup has the imap connecting to a remote server on a private
              >> network. The imap server is dbmail 2.2.17.
              >>
              >> Postfix is a member of the sasl group. There is an sasldb2 file
              >> just in case.
              > I am not sure it is your desire to use the sasldb2 file. But if it is
              > then on Debian it needs to be made available in the chroot which on
              > Debian is usually located at /var/spool/postfix/etc. For me it meant
              > the easiest thing to do was to modify the /etc/init.d/postfix script
              > to make sure it was copied into the chroot when it was started.
              >
              > I added etc/sasldb2 to this next section.
              >
              > FILES="etc/sasldb2 etc/localtime etc/services etc/resolv.conf etc/hosts \
              > etc/nsswitch.conf etc/nss_mdns.config"
              > for file in $FILES; do
              > [ -d ${file%/*} ] || mkdir -p ${file%/*}
              > if [ -f /${file} ]; then rm -f ${file} && cp -p /${file} ${file}; fi
              > # if [ -f ${file} ]; then chmod a+rX ${file}; fi
              > done
              >
              > And I also removed that line that is commented out so that the
              > original permissions are preserved. That causes permissions to be
              > preserved from the /etc file into the chroot area when the file is
              > copied into it. Otherwise the file would be available to everyone.
              > Using the original permissions on all of the files is okay.
              >
              > Again, that is only if you are intending to use the sasldb2 file. It
              > is a nice simple fallback. But most schemes use other access control
              > methods.
              >
              > Bob
              Thanks for all your help everyone. I actually found the answer in an
              email from about a year ago. Thank you to google. Apparently saslauthd
              on Ubuntu runs chrooted while postfix does not. In order to make things
              work I had to establish a symbolic link in
              /var/spool/postfix/var/run/saslauthd to /var/run/sadlauthd and that
              solved the trouble.

              Cheers,
              --Curtis
            Your message has been successfully submitted and would be delivered to recipients shortly.