Securing postfix to dovecot (SASL) auth
Hi
Is it possible to secure the Dovecot SASL auth provider for postfix? https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
I'm currently using the inet option to provide SASL auth to postfix for dovecot. Both installs are on different hosts hence the use of inet rather than unix socket.
I'm looking for the best way to secure this channel (rather than just assuming the VLAN is secure ) ,e.g. TLS. It would seem even the latest versions of dovecot/postfix3 don't support encrypting this channel?
Has anyone managed to implement a secure internal approach they can share? I'm wondering if Postfix with Cyrus against IMAP using STARTTLS is my best alternative.
Thanks Raymond
On 27/09/17 12:07, Raymond Sellars wrote:
Hi
Is it possible to secure the Dovecot SASL auth provider for postfix? https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
I'm currently using the inet option to provide SASL auth to postfix for dovecot. Both installs are on different hosts hence the use of inet rather than unix socket.
Postfix does not support this natively, and I don't think dovecot does either. That said, it should be relatively easy to set up a ssh tunnel or stunnel and push the connection through that.
Peter
Hi,
Am 27.09.2017 um 01:07 schrieb Raymond Sellars:
Is it possible to secure the Dovecot SASL auth provider for postfix?
I'm using this configuration, which you've suggested.
Has anyone managed to implement a secure internal approach they can share? I'm wondering if Postfix with Cyrus against IMAP using STARTTLS is my best alternative.
My config is: On the dovecot server:
service auth { inet_listener{ address=192.0.0.1 port=10001 ssl=yes } }
On the postfix server in master.cf:
submission inet n - - - - smtpd ... -o smtpd_sasl_path=inet:192.0.0.1:10001 ...
And in main.cf:
### SASL via dovecot ### smtpd_sasl_auth_enable = yes smtpd_sasl_path = inet:192.0.0.1:10001 smtpd_sasl_type = dovecot
Thanks Raymond
Greetings Thomas
On 27/09/17 20:35, Thomas Bauer wrote:
service auth { inet_listener{ address=192.0.0.1 port=10001 ssl=yes } }
ssl=yes is not documented to work for the auth service and it's highly likely that it is simply ignored.
-o smtpd_tls_security_level=encrypt
This definitely does not do what you think it does. This setting is for the smtpd server, not the SASL client. It will enforce TLS between the MUA (email client) and postfix. It does not affect the connection between postfix and the dovecot SASL server at all.
The only way to encrypt the connection between postfix and dovecot SASL is to use a tunnel.
Peter
On 27.09.2017 13:21, Peter wrote:
service auth { inet_listener{ address=192.0.0.1 port=10001 ssl=yes } } ssl=yes is not documented to work for the auth service and it's highly
On 27/09/17 20:35, Thomas Bauer wrote: likely that it is simply ignored.
It is documented for inet_listener's in general and is not ignored. Any dovecot inet_listener can be given this flag.
You could use stunnel on the other end.
Aki
On 28/09/17 00:11, Aki Tuomi wrote:
ssl=yes is not documented to work for the auth service and it's highly likely that it is simply ignored.
It is documented for inet_listener's in general and is not ignored. Any dovecot inet_listener can be given this flag.
You could use stunnel on the other end.
Does it turn the auth socket into a direct TLS connection, or is there a STARTTLS implementation for it?
Peter
On 27.09.2017 14:57, Peter wrote:
On 28/09/17 00:11, Aki Tuomi wrote:
ssl=yes is not documented to work for the auth service and it's highly likely that it is simply ignored. It is documented for inet_listener's in general and is not ignored. Any dovecot inet_listener can be given this flag.
You could use stunnel on the other end. Does it turn the auth socket into a direct TLS connection, or is there a STARTTLS implementation for it?
Peter
It will listen for direct TLS.
Aki
- Aki Tuomi <aki.tuomi@dovecot.fi>:
On 27.09.2017 13:21, Peter wrote:
service auth { inet_listener{ address=192.0.0.1 port=10001 ssl=yes } } ssl=yes is not documented to work for the auth service and it's highly
On 27/09/17 20:35, Thomas Bauer wrote: likely that it is simply ignored.
It is documented for inet_listener's in general and is not ignored. Any dovecot inet_listener can be given this flag.
However AFAIK Postfix does not honor an SSL encrypted layer for SASL auth.
You could use stunnel on the other end.
That's what we usually do.
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
participants (5)
-
Aki Tuomi
-
Patrick Ben Koetter
-
Peter
-
Raymond Sellars
-
Thomas Bauer