Hi,
I am using SMTP-AUTH over TLS with sendmail, to allow remote users to authenticate and send mail via my server, and this uses saslauthd to authenticate users.
I have set up saslauthd with the "MECH=rimap" mechanism, so it uses the local IMAP server, Dovecot, for authentication.
I want to do this because Dovecot is set up to use /etc/passwd for user credentials (so I don't have multiple password files to manage), and Dovecot handles restricting the range of valid UIDs (including blocking root). (Using the default MECH=shadow with saslauthd allows all users to authenticate, which I don't want)
For real "normal" users, this all works fine - right password = user can relay mail, wrong password = relaying denied. So far so good.
If I try to authenticate as root (which I want NEVER to work), with the wrong password, Dovecot correctly refuses to allow root IMAP access and saslauthd/sendmail denies the relay.
But if I try to authenticate as root with the correct password (which I still want NOT to work!), Dovecot still refuses IMAP access, and puts this in the maillog:
Oct 5 14:16:18 hadrian dovecot: Logins with UID 0 not permitted (user root) Oct 5 14:16:18 hadrian imap-login: Internal login failure: root [127.0.0.1]
But saslauthd seems to treat this as a successful authentication and still allows root to relay email!
So: Dovecot problem or saslauthd problem?
Server is running CentOS 4.1, fully patched. Packages are dovecot-0.99.11-2.EL4.1, cyrus-sasl-2.1.19-5.EL4, sendmail-8.13.1-2.
Thanks Andrew