hi, my main question here (as always) why we need sasl at all? what is the main pros for sasl? I've never seen any good reason. anyway why do you use dovecot-auth for postfix? postfix has many authentication mechanism for everything.
Timo Sirainen wrote:
Again today got annoyed at Cyrus SASL. Upgrading it to newer version had broken PAM support. Trying to login as "user@domain" resulted it only asking for "user" from PAM. Well, got it patched and working again, but I'd rather not go through it all the time..
So I finally did what I had been thinking about a year or so, change Postfix to use dovecot-auth directly. This required cleaning dovecot-auth quite a lot, but it seems to be working now.
Actually I finally implemented support for initial SASL response as well. POP3's AUTH command had required support for it, strange that no-one ever complained about it not working.
If you want to try it, you need very latest CVS version of Dovecot and this patch for Postfix:
http://dovecot.org/patches/postfix-dovecot-auth.patch
dovecot-auth can be run on it's own (configuration in environment variables), or you can use extra_sockets auth setting which is a ':' separated list of UNIX sockets where to listen in. You'd probably want to set it to /var/spool/postfix/etc/dovecot-auth, the location is hardcoded to /etc/dovecot-auth in the patch for now (smtpd is chrooted).
The only real problem is that Dovecot creates the dovecot-auth socket using 0660 root:root modes, so you have to manually chmod it to 0666 or fix owner/group. I guess that needs some more thinking.. Probably each socket should have separate settings for it, but how to do it easily in configuration? ..
The patch has also hardcoded dovecot path in Makefile.in, you'll need to change that.
-- Levente "Si vis pacem para bellum!"