[dovecot] Re: Some experiences

Xavier Beaudouin kiwi at oav.net
Sun Jan 5 23:26:00 EET 2003

Hi ;-)


> Well, current CVS has some code for it, but it's still missing some
> configuration. Actually I'm not really sure how I should do that, I
> found one way but Postfix doesn't seem to doing that..
> And secure? I doubt it, I did a quick audit to it a month ago and found
> 3 buffer overflows. I checked mostly just PLAIN mechanism which I use
> with Postfix, so there may well be more left in other auth mechanisms.

Personaly I don't like too mutch Cyrus SASL for lots of reasons :

- I don't trust it a lot
- this yet another lib to add to the thousands of lib used for 
authentication eg :
   server code (here dovecot) -> sasl -> pam -> mod_someth -> something 
lib -> something server -> db ..

   Yes I know there is patch for sasl 1.x and there some other backend 
for sasl 2.x but I still don't like it.

Adding some lines of code into dovecot for authentication against MySQL 
(for example) or LDAP should not
too mutch and mutch easy to debug / audit than a big library like SASL.

For my point of view, I going, when time available a patch for dovecot 
to do mysql auth, since I want to move
from courier-imap (sorry) to a better solution that is dovecot.... 
(that I use at home using pam)... to get a 100%
virtual account solution without adding 3rd party code... ;-)

my 0.02c


Xavier Beaudouin - Unix System Administrator & Projects Leader.
For mail address, please check header of this mail. Spams are not 
Caudium: http://caudium.net/
Making friends with FreeBSD:
  Just because the system has panicked doesn't mean that you should 
panic too

More information about the dovecot mailing list