Op 16-11-2017 om 2:07 schreef MRob:

Hi, this is partly Postfix related, but I want to know if there could be way to distinguish port of the SASL AUTH request to segregate user services.

Currently I use unix listener for dovecot sasl auth, but could change to inet_listener.

Only way I can think is to have different SASL AUTH services for each master.cf entry where its needed. But is it possible for Dovecot to have more than one SASL AUTH services with different configuration setup? It would be nicer if there was a way for Postfix to tell Dovecot about the port the client connected on.

Or maybe it can be done with a SASL realm? I'm not sure how? Any help please?

I am not sure I understand the question completely.

The Dovecot SASL auth protocol allows setting various auxiliary fields:

https://github.com/dovecot/core/blob/release-2.2.33/src/auth/auth-request.c#... (Which, apparently, aren't all documented: https://wiki2.dovecot.org/Design/AuthProtocol)

The service connection ports are among those fields. So, at least an authentication client (e.g. Postfix) could pass the ip:port to Dovecot. I don't know whether Postfix sets one of these port values at this time.

And even then, there's the question of whether the port value can be used as a selector in some dynamic configuration. The local {...} configuration sections can as far as I know only be used with IPs and not with ports or IP:ports. Maybe you could do some magic in variable substitutions, e.g. use it in the passdb/userdb database lookup.

Regards,

Stephan.