[Dovecot] Postfix SASL AUTH from Dovecot
Again today got annoyed at Cyrus SASL. Upgrading it to newer version had broken PAM support. Trying to login as "user@domain" resulted it only asking for "user" from PAM. Well, got it patched and working again, but I'd rather not go through it all the time..
So I finally did what I had been thinking about a year or so, change Postfix to use dovecot-auth directly. This required cleaning dovecot-auth quite a lot, but it seems to be working now.
Actually I finally implemented support for initial SASL response as well. POP3's AUTH command had required support for it, strange that no-one ever complained about it not working.
If you want to try it, you need very latest CVS version of Dovecot and this patch for Postfix:
http://dovecot.org/patches/postfix-dovecot-auth.patch
dovecot-auth can be run on it's own (configuration in environment variables), or you can use extra_sockets auth setting which is a ':' separated list of UNIX sockets where to listen in. You'd probably want to set it to /var/spool/postfix/etc/dovecot-auth, the location is hardcoded to /etc/dovecot-auth in the patch for now (smtpd is chrooted).
The only real problem is that Dovecot creates the dovecot-auth socket using 0660 root:root modes, so you have to manually chmod it to 0666 or fix owner/group. I guess that needs some more thinking.. Probably each socket should have separate settings for it, but how to do it easily in configuration? ..
The patch has also hardcoded dovecot path in Makefile.in, you'll need to change that.
hi, my main question here (as always) why we need sasl at all? what is the main pros for sasl? I've never seen any good reason. anyway why do you use dovecot-auth for postfix? postfix has many authentication mechanism for everything.
Timo Sirainen wrote:
Again today got annoyed at Cyrus SASL. Upgrading it to newer version had broken PAM support. Trying to login as "user@domain" resulted it only asking for "user" from PAM. Well, got it patched and working again, but I'd rather not go through it all the time..
So I finally did what I had been thinking about a year or so, change Postfix to use dovecot-auth directly. This required cleaning dovecot-auth quite a lot, but it seems to be working now.
Actually I finally implemented support for initial SASL response as well. POP3's AUTH command had required support for it, strange that no-one ever complained about it not working.
If you want to try it, you need very latest CVS version of Dovecot and this patch for Postfix:
http://dovecot.org/patches/postfix-dovecot-auth.patch
dovecot-auth can be run on it's own (configuration in environment variables), or you can use extra_sockets auth setting which is a ':' separated list of UNIX sockets where to listen in. You'd probably want to set it to /var/spool/postfix/etc/dovecot-auth, the location is hardcoded to /etc/dovecot-auth in the patch for now (smtpd is chrooted).
The only real problem is that Dovecot creates the dovecot-auth socket using 0660 root:root modes, so you have to manually chmod it to 0666 or fix owner/group. I guess that needs some more thinking.. Probably each socket should have separate settings for it, but how to do it easily in configuration? ..
The patch has also hardcoded dovecot path in Makefile.in, you'll need to change that.
-- Levente "Si vis pacem para bellum!"
On Mon, 2004-05-31 at 15:47, Farkas Levente wrote:
my main question here (as always) why we need sasl at all? what is the main pros for sasl? I've never seen any good reason.
SMTP AUTH is done with SASL, so IP-address restrictions and POP/IMAP-before-SMTP are the only alternatives.
SASL is really just a list of requirements for an authentication mechanism to be SASL compatible. There are plaintext SASL mechanisms (PLAIN, LOGIN) which are commonly used with SMTP authentication.
When talking about SASL library it usually does much more than just implement the few SASL mechanisms. It has to know how to verify the passwords and where to find user's home directory etc. dovecot-auth for example consists of:
# user/password databases (pam, ldap, sql, ..) ~/cvs/dovecot/src/auth% wc -l db-*.c|tail -1 975 total ~/cvs/dovecot/src/auth% wc -l userdb*.c|tail -1 881 total ~/cvs/dovecot/src/auth% wc -l passdb*.c|tail -1 1497 total # password matching functions (crypt, md5, ..) ~/cvs/dovecot/src/auth% wc -l password*.c|tail -1 475 total # sasl authentication mechanisms ~/cvs/dovecot/src/auth% wc -l mech-*.c 82 mech-anonymous.c 251 mech-cram-md5.c 250 mech-cyrus-sasl2.c 652 mech-digest-md5.c 136 mech-plain.c 1371 total
Only the mech-*.c files are SASL mechanism specific code. ANONYMOUS could be done pretty much by sending username "anonymous" and empty password. CRAM-MD5 and DIGEST-MD5 aren't really useful if SSL is being used, except with them server never sees the plaintext password. What could actually be very useful are Kerberos and OTP mechanisms, if someone just implemented them.
anyway why do you use dovecot-auth for postfix? postfix has many authentication mechanism for everything.
AFAIK Postfix uses only Cyrus SASL library for authentication, it hasn't implemented anything internally and it doesn't support any other library (and there aren't many). And Cyrus SASL was the thing I've always disliked.
It also means less configuration.
Just guessing from my armchair here, but I believe I heard Wietse (of postfix and tcp wrappers fame) wasn't willing to include SMTP AUTH patches into postfix, because SASL was too large and unaudited.
If you have something that allows authenticated SMTP for postfix via dovecot, and it's not a huge gob of unaudited code, you might be onto something really nice - particularly if the changes can be included in the postfix (or dovecot?) baseline so people don't have to patch, and repatch, and hope patching continues to work.
On Mon, 2004-05-31 at 09:12, Timo Sirainen wrote:
On Mon, 2004-05-31 at 15:47, Farkas Levente wrote:
my main question here (as always) why we need sasl at all? what is the main pros for sasl? I've never seen any good reason.
SMTP AUTH is done with SASL, so IP-address restrictions and POP/IMAP-before-SMTP are the only alternatives.
SASL is really just a list of requirements for an authentication mechanism to be SASL compatible. There are plaintext SASL mechanisms (PLAIN, LOGIN) which are commonly used with SMTP authentication.
When talking about SASL library it usually does much more than just implement the few SASL mechanisms. It has to know how to verify the passwords and where to find user's home directory etc. dovecot-auth for example consists of:
# user/password databases (pam, ldap, sql, ..) ~/cvs/dovecot/src/auth% wc -l db-*.c|tail -1 975 total ~/cvs/dovecot/src/auth% wc -l userdb*.c|tail -1 881 total ~/cvs/dovecot/src/auth% wc -l passdb*.c|tail -1 1497 total # password matching functions (crypt, md5, ..) ~/cvs/dovecot/src/auth% wc -l password*.c|tail -1 475 total # sasl authentication mechanisms ~/cvs/dovecot/src/auth% wc -l mech-*.c 82 mech-anonymous.c 251 mech-cram-md5.c 250 mech-cyrus-sasl2.c 652 mech-digest-md5.c 136 mech-plain.c 1371 total
Only the mech-*.c files are SASL mechanism specific code. ANONYMOUS could be done pretty much by sending username "anonymous" and empty password. CRAM-MD5 and DIGEST-MD5 aren't really useful if SSL is being used, except with them server never sees the plaintext password. What could actually be very useful are Kerberos and OTP mechanisms, if someone just implemented them.
anyway why do you use dovecot-auth for postfix? postfix has many authentication mechanism for everything.
AFAIK Postfix uses only Cyrus SASL library for authentication, it hasn't implemented anything internally and it doesn't support any other library (and there aren't many). And Cyrus SASL was the thing I've always disliked.
It also means less configuration.
Dan Stromberg DCS/NACS/UCI <strombrg@dcs.nac.uci.edu>
On 1.6.2004, at 23:26, Dan Stromberg wrote:
Just guessing from my armchair here, but I believe I heard Wietse (of postfix and tcp wrappers fame) wasn't willing to include SMTP AUTH patches into postfix, because SASL was too large and unaudited.
Similiar to my reasons for not using it.
If you have something that allows authenticated SMTP for postfix via dovecot, and it's not a huge gob of unaudited code, you might be onto something really nice - particularly if the changes can be included in the postfix (or dovecot?) baseline so people don't have to patch, and repatch, and hope patching continues to work.
Someone already sent my original mail to Wietse. Reply was pretty much "I'll continue Postfix hacking in July". We'll see then :)
The Postfix part of the code would anyway be minimal. My current patch uses Dovecot's code for it but only because it was the fastest way to do it. It only needs to send and receive data via UNIX sockets, nothing special.
participants (3)
-
Dan Stromberg
-
Farkas Levente
-
Timo Sirainen