Hello,
Anyone interested, I solved it the following way: imap server: dovecot <=> /bin/saslcheckpassword <=> local unix domain socket for saslauthd <=> socat client ^ = Remote TLS connection v auth server: socat server <=> saslauthd <=> /etc/passwd,/etc/shadow
saslcheckpassword is based on checkpassword.sh and enhanced for SASL, modified version attached: https://bitbucket.org/vizovitin/dovecot-conf-examples/src/tip/checkpassword-...
Detailed configs below.
imap server: touch /var/log/dovecot-saslcheckpassword.log chown dovecot.dovecot /var/log/dovecot-saslcheckpassword.log chmod 750 /var/log/dovecot-saslcheckpassword.log
Advantage is single authentication entity.
Works well for me for some time now.
If you have some questions feel free to ask.
Ciao, Gerhard
================================================================================================================================================================ IMAP server, SASL client: cat /etc/systemd/system/multi-user.target.wants/saslclient.service [Unit] Description=SASL remote client for authentication, provides local unix domain socket After=network.target
[Service] # Must be running under permissions for the dovecot user! ExecStart=/usr/bin/socat -4 -ly UNIX-LISTEN:/var/run/saslauthd/mux,fork,user=dovecot,group=dovecot 'OPENSSL:myserver:1234,verify=1,method=TLSv1,cipher=DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5,cafile=/etc/socat/mycert.crt'
[Install] WantedBy=multi-user.target
Auth server: cat /etc/systemd/system/multi-user.target.wants/saslserver.service [Unit] Description=SASL remote server for authentication After=network.target
[Service] ExecStart=/usr/bin/socat -4 -ly 'OPENSSL-LISTEN:9999,reuseaddr,fork,verify=0,method=TLSv1,cipher=DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5,cert=/etc/socat/mycert.pem,cafile=/etc/socat/mycert.crt' /var/run/saslauthd/mux
[Install] WantedBy=multi-user.target
Relevant dovecot config: userdb { args = username_format=%n /etc/dovecot/users driver = passwd-file }
passdb { args = /bin/saslcheckpassword driver = checkpassword }
On 16.07.2014 15:50, Gerhard Wiesinger wrote:
Any comments?
Thank you.
Ciao, Gerhard