Loading ...
Sorry, an error occurred while loading the content.
 

Secure alternative to smtp_sasl_password_maps?

Expand Messages
  • Christian Benke
    Dear Postfix-users! Over the last weekend i ve setup a mail-environment for my personal use with a remote Postfix and Dovecot SASL/IMAP and locally mutt with
    Message 1 of 3 , Mar 18, 2013
      Dear Postfix-users!

      Over the last weekend i've setup a mail-environment for my personal
      use with a remote Postfix and Dovecot SASL/IMAP and locally mutt with
      Postfix as MTA.
      To be able to authenticate SMTP to the remote Postfix, i'm currently
      using smtp_sasl_password_maps, as described in
      http://www.postfix.org/SASL_README.html#client_sasl

      However, i'm not very happy with this approach and i wonder if there
      are alternatives. Since i'm using PAM for authentication on the remote
      system, my main mailuser is my system-user at the same time.
      I don't feel too confident saving a plaintext-password on a laptop,
      where root-only permissions wouldn't help much when someone gains
      physical access to the harddisk.

      Maybe i'm missing something, but this doesn't seem to be a very sane
      way to work with passwords - especially when everything else is
      properly encrypted and authenticated. So i guess there must be some
      other way to do it?!

      The docs linked above also state:
      "saslauthd can verify the SMTP client credentials by using them to log
      into an IMAP server."

      Is there any mechanism to make this work with a remote IMAP and a
      local MTA? Is it still only possible with Cyrus? How do other people
      run the setup above, with a local mutt(=no built-in SMTP) on a mobile
      machine?

      Please bear with me if my questions are naive, i don't have too much
      experience yet with non-monolithic and non-trivial
      mailserver-configurations.

      Best regards,
      Christian

      --
      Central Asia by bike, starting May 2013 - http://poab.org
    • Dominik George
      Hi, imho, the best approach to getting a road-warrior (laptop) authenticated as a sattelite sytem using your central MTA as a relayhost is have it in
      Message 2 of 3 , Mar 18, 2013
        Hi,

        imho, the best approach to getting a road-warrior (laptop) authenticated
        as a sattelite sytem using your central MTA as a relayhost is have it in
        mynetworks. As in, connect it to the MTA through a VPN tunnel.

        Then, there is nothing that that limits you to use PAM for
        authenticaiton. You can additionally add a static passdb to Dovecot that
        serves an account that you can use for relay.

        -nik

        --
        * concerning Mozilla code leaking assertion faiures to tty without D-BUS *
        <mirabilos> That means, D-BUS is a tool that makes software look better
        than it actually is.

        2013-05-19 - 05-21 Geocaching-Tour Hamburg (2 Betten frei)
        2013-06-28 - 06-30 http://project-eck.de Koblenz
        2013-08-01 - 08-04 http://berlin-mega.de Berlin (2 Betten frei)
        2013-08-28 - 09-02 http://prora2013.de RĂ¼gen
        2013-12-27 - 12-31 30c3 Hamburg (2 Betten frei)

        PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296
      • Christian Benke
        ... Hey Dominik! Intriguing idea, i didn t think about that option :-) And it looks like this is the way to go! Thanks, Christian
        Message 3 of 3 , Mar 19, 2013
          On 18 March 2013 23:31, Dominik George <nik@...> wrote:
          > Hi,
          >
          > imho, the best approach to getting a road-warrior (laptop) authenticated
          > as a sattelite sytem using your central MTA as a relayhost is have it in
          > mynetworks. As in, connect it to the MTA through a VPN tunnel.

          Hey Dominik!

          Intriguing idea, i didn't think about that option :-) And it looks
          like this is the way to go!

          Thanks,
          Christian
        Your message has been successfully submitted and would be delivered to recipients shortly.