I am trying to get away from courier imap because it is flaky the way it uses FAM (or gamin in my case), and the developers seem to have a chip on their collective shoulder, and it is too complex. I found dovecot because it is ships with CentOS 4 (ie Red Hat Enterprise 4). It looks like just what I need: simple, fast. But I can't use it! I can't authenticate. If any of these statements were untrue, I would use it happily:
o it doesn't support simple bind authentication against LDAP o I don't want to make passwords readable, and this version (0.99.14) doesn't support SSHA anyway o it won't talk to the saslauthd I already have configured o I can't find how to implement a new auth module for dovecot
I am wondering why, in the quest to fill a niche with a simple, fast, secure IMAP server, the authors felt the need to re-implement a robust and well-tested infrastructure (saslauthd) with a less-featureful and untested one?
On Thu, 1 Sep 2005, Phillip Needham wrote:
I am trying to get away from courier imap because it is flaky the way it uses FAM (or gamin in my case), and the developers seem to have a chip on their collective shoulder, and it is too complex. I found dovecot because it is ships with CentOS 4 (ie Red Hat Enterprise 4). It looks like just what I need: simple, fast. But I can't use it! I can't authenticate. If any of these statements were untrue, I would use it happily:
o it doesn't support simple bind authentication against LDAP o I don't want to make passwords readable, and this version (0.99.14) doesn't support SSHA anyway o it won't talk to the saslauthd I already have configured o I can't find how to implement a new auth module for dovecot
Just use PAM.
-- Ignacio Vazquez-Abrams
pam_ldap does not support simple bind either. only saslauthd and courier-imap seem to. and the web applications I write...
I think simple bind is a better way to do it, as long as you trust the server and are using TLS or SSL. It requires less code, it more portable, and doesn't become obsolete when a new password hash is invented. It offloads the task of hashing passwords completely to the server. That is how I have always done web applications.
I could be wrong; I would love for someone to explain to me why its better to leave the password hash available for reading (and cracking), then to attempt the relatively complex task of a) determining which hash algorithm has encrypted the password and b) implementing that algorithm in every program you write in order to verify passwords and c) re-writing every program when you change the hash scheme.
Phillip Needham
On Thu, 1 Sep 2005, Phillip Needham wrote:
I am trying to get away from courier imap because it is flaky the way it uses FAM (or gamin in my case), and the developers seem to have a chip on their collective shoulder, and it is too complex. I found dovecot because it is ships with CentOS 4 (ie Red Hat Enterprise 4). It looks like just what I need: simple, fast. But I can't use it! I can't authenticate. If any of these statements were untrue, I would use it happily:
o it doesn't support simple bind authentication against LDAP o I don't want to make passwords readable, and this version (0.99.14) doesn't support SSHA anyway o it won't talk to the saslauthd I already have configured o I can't find how to implement a new auth module for dovecot
Just use PAM.
-- Ignacio Vazquez-Abrams
On Fri, 2 Sep 2005, Phillip Needham wrote:
pam_ldap does not support simple bind either. only saslauthd and courier-imap seem to. and the web applications I write...
The pam_ldap running on Debian Sarge supports simple bind and does not require to read the password hashes itself. I'm pretty sure that RedHat's pam_ldap supports it, too.
Bye,
-- Steffen Kaiser
participants (3)
-
Ignacio Vazquez-Abrams
-
Phillip Needham
-
Steffen Kaiser