[Dovecot] Postfix SASL AUTH from Dovecot

Timo Sirainen tss at iki.fi
Mon May 31 19:12:12 EEST 2004


On Mon, 2004-05-31 at 15:47, Farkas Levente wrote:
> my main question here (as always) why we need sasl at all?
> what is the main pros for sasl?
> I've never seen any good reason.

SMTP AUTH is done with SASL, so IP-address restrictions and
POP/IMAP-before-SMTP are the only alternatives.

SASL is really just a list of requirements for an authentication
mechanism to be SASL compatible. There are plaintext SASL mechanisms
(PLAIN, LOGIN) which are commonly used with SMTP authentication.

When talking about SASL library it usually does much more than just
implement the few SASL mechanisms. It has to know how to verify the
passwords and where to find user's home directory etc. dovecot-auth for
example consists of:

# user/password databases (pam, ldap, sql, ..)
~/cvs/dovecot/src/auth% wc -l db-*.c|tail -1
  975 total
~/cvs/dovecot/src/auth% wc -l userdb*.c|tail -1
  881 total
~/cvs/dovecot/src/auth% wc -l passdb*.c|tail -1
 1497 total
# password matching functions (crypt, md5, ..)
~/cvs/dovecot/src/auth% wc -l password*.c|tail -1
  475 total
# sasl authentication mechanisms
~/cvs/dovecot/src/auth% wc -l mech-*.c
   82 mech-anonymous.c
  251 mech-cram-md5.c
  250 mech-cyrus-sasl2.c
  652 mech-digest-md5.c
  136 mech-plain.c
 1371 total

Only the mech-*.c files are SASL mechanism specific code. ANONYMOUS
could be done pretty much by sending username "anonymous" and empty
password. CRAM-MD5 and DIGEST-MD5 aren't really useful if SSL is being
used, except with them server never sees the plaintext password. What
could actually be very useful are Kerberos and OTP mechanisms, if
someone just implemented them.

> anyway why do you use dovecot-auth for postfix? postfix has many 
> authentication mechanism for everything.

AFAIK Postfix uses only Cyrus SASL library for authentication, it hasn't
implemented anything internally and it doesn't support any other library
(and there aren't many). And Cyrus SASL was the thing I've always
disliked.

It also means less configuration.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20040531/ccf02e5d/attachment-0001.bin>


More information about the dovecot mailing list