- /dev/rob0 dovecot@dovecot.org:
On Tue, Jan 08, 2013 at 08:59:09AM -0500, Charles Marcus wrote:
So that postfix can use dovecot-sasl for remotely authenticating against another SMTP server, ie, for secure relays...
I don't think this makes sense for Dovecot to implement -- maybe P@rick and/or Timo will correct this if I am wrong.
That's a difficult subject, because I am not the author of Dovecot. So whatever I say, Timo definitely has the last word on this. But since you invited me, here are my thoughts:
At the moment Dovecot does not implement an SMTP/LMTP client. This might change, when Timo decides to implement all of the LEMONADE feature, which at some point require the IMAP server to edit and send messages on behalf of a (mobile) client. Timo will shed more light on his plans.
IF that part will be implemented it MAY make sense to add the AUTH capability to the SMTP/LMTP client, because the receiving SMTP/LMTP server MAY require it.
IF at that point Dovecot becomes capable to AUTH on the client side, it MAY share that capability with another program e.g. Postfix.
At the moment Postfix uses a simple IF/THEN mechanism, which is configured in two columns in and provided via smtp_sasl_password_maps:
IF HOST THEN IDENTITY
If Postfix were to use Dovecot as AUTH service it would have to query Dovecot for every hosts it contacts. Dovecot would have to know when Postfix would have to use AUTH, it would have to choose the apropriate SASL mechanism and it would have to guide Postfix through the mechanisms steps including handing over the identity when required.
All this to solve a problem that already has been solved.
My personal opinion/preference is:
Use Cyrus SASL when you need SMTP AUTH on a Boundary Server, a Relay or if you need SASL on the client side.
Use Dovecot SASL if your mail service offers SMTP and also POP/IMAP on the same system and/or if you combine more roles (mail server, Boundary Server, Relay, Gateway etc.).
Server SASL is a natural offshoot of an imapd, because the same credentials are used, and just as with an IMAP client, the imapd merely has to validate the credentials.
Client SASL is different. The credentials are not necessarily in use by the imapd otherwise, and the job of the client SASL library is to generate the authentication, not to validate it.
recognize, choose and generate.
I don't expect to see Dovecot providing client SASL.
Neither do I, but it's not upon me to tell. :)
p@rick
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich