Secure alternative to smtp_sasl_password_maps?
- Dear Postfix-users!
Over the last weekend i've setup a mail-environment for my personal
use with a remote Postfix and Dovecot SASL/IMAP and locally mutt with
Postfix as MTA.
To be able to authenticate SMTP to the remote Postfix, i'm currently
using smtp_sasl_password_maps, as described in
However, i'm not very happy with this approach and i wonder if there
are alternatives. Since i'm using PAM for authentication on the remote
system, my main mailuser is my system-user at the same time.
I don't feel too confident saving a plaintext-password on a laptop,
where root-only permissions wouldn't help much when someone gains
physical access to the harddisk.
Maybe i'm missing something, but this doesn't seem to be a very sane
way to work with passwords - especially when everything else is
properly encrypted and authenticated. So i guess there must be some
other way to do it?!
The docs linked above also state:
"saslauthd can verify the SMTP client credentials by using them to log
into an IMAP server."
Is there any mechanism to make this work with a remote IMAP and a
local MTA? Is it still only possible with Cyrus? How do other people
run the setup above, with a local mutt(=no built-in SMTP) on a mobile
Please bear with me if my questions are naive, i don't have too much
experience yet with non-monolithic and non-trivial
Central Asia by bike, starting May 2013 - http://poab.org
imho, the best approach to getting a road-warrior (laptop) authenticated
as a sattelite sytem using your central MTA as a relayhost is have it in
mynetworks. As in, connect it to the MTA through a VPN tunnel.
Then, there is nothing that that limits you to use PAM for
authenticaiton. You can additionally add a static passdb to Dovecot that
serves an account that you can use for relay.
* concerning Mozilla code leaking assertion faiures to tty without D-BUS *
<mirabilos> That means, D-BUS is a tool that makes software look better
than it actually is.
2013-05-19 - 05-21 Geocaching-Tour Hamburg (2 Betten frei)
2013-06-28 - 06-30 http://project-eck.de Koblenz
2013-08-01 - 08-04 http://berlin-mega.de Berlin (2 Betten frei)
2013-08-28 - 09-02 http://prora2013.de Rügen
2013-12-27 - 12-31 30c3 Hamburg (2 Betten frei)
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296
- On 18 March 2013 23:31, Dominik George <nik@...> wrote:
> Hi,Hey Dominik!
> imho, the best approach to getting a road-warrior (laptop) authenticated
> as a sattelite sytem using your central MTA as a relayhost is have it in
> mynetworks. As in, connect it to the MTA through a VPN tunnel.
Intriguing idea, i didn't think about that option :-) And it looks
like this is the way to go!