[Dovecot] Dovecot using authsasld
Hi,
Trying to simplify the postfix/dovecot/saslauthd setup with less than 10 users, I was looking for some way to NOT duplicate the username/password setup.
Currently I need to use a seperate file for dovecot as I do for saslauthd. (One is a simple shadow-alike file, the other the sasldb)
I know that postfix 2.3 can use dovecot directly for sasl authentication, and that would be a neat solution, but we're stuck with postfix 2.2.
I was wondering if anyone ever succeeded in making dovecot use saslauthd for authentication so that saslauthd becomes the authoritative source for password authentication for virtual users. (both for smtp auth as pop3/imap)
My other idea to simplify was using something like pam_unix, but modified to use a seperate file (not /etc/shadow) and use pam in both dovecot and saslauthd. But I can't find something like that, pam_unix is fixed, and pam_userdb is something I'd like to avoid.
Any ideas ?
Thanks in advance, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [all I want is a warm bed and a kind word and unlimited power]
Dag Wieers wrote:
Trying to simplify the postfix/dovecot/saslauthd setup with less than 10 users, I was looking for some way to NOT duplicate the username/password setup. [...] My other idea to simplify was using something like pam_unix, but modified to use a seperate file (not /etc/shadow) and use pam in both dovecot and saslauthd. But I can't find something like that, pam_unix is fixed, and pam_userdb is something I'd like to avoid.
Why don't you just use pam_unix?
Cheers, -jkt
-- cd /local/pub && more beer > /dev/mouth
On Sat, 16 Sep 2006, Jan Kundrát wrote:
Dag Wieers wrote:
Trying to simplify the postfix/dovecot/saslauthd setup with less than 10 users, I was looking for some way to NOT duplicate the username/password setup. [...] My other idea to simplify was using something like pam_unix, but modified to use a seperate file (not /etc/shadow) and use pam in both dovecot and saslauthd. But I can't find something like that, pam_unix is fixed, and pam_userdb is something I'd like to avoid.
Why don't you just use pam_unix?
These are virtual users.
But I found a workaround, apparently authsasld is able to authenticate against dovecot IMAP using 'rimap' authentication mechanism. Sadly this means I have to enable PLAIN IMAP password authentication in dovecot.
But at least it means I can get rid of the sasldb database that had the same user/pass information that was in my dovecot passwd file.
Now the only redundant information is in postfix's virtual user file and in the dovecot virtual user file. For defining new user this means I have 3 files to edit (dovecot userdb en passdb, and postfix virtual mailbox map) instead of 4 (sasldb).
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [all I want is a warm bed and a kind word and unlimited power]
On Saturday 16 September 2006 13:46, Dag Wieers wrote:
But I found a workaround, apparently authsasld is able to authenticate against dovecot IMAP using 'rimap' authentication mechanism. Sadly this means I have to enable PLAIN IMAP password authentication in dovecot.
Where did you find the documentation for 'rimap'? I might like to look into it also.
-- Gerard
cd /local/pub && more beer > /dev/mouthOn Sat, 16 Sep 2006, Gerard Seibert wrote:
On Saturday 16 September 2006 13:46, Dag Wieers wrote:
But I found a workaround, apparently authsasld is able to authenticate against dovecot IMAP using 'rimap' authentication mechanism. Sadly this means I have to enable PLAIN IMAP password authentication in dovecot.
Where did you find the documentation for 'rimap'? I might like to look into it also.
It was vaguely mentioned in the saslauthd manpage. As a result, when I skimmed the file I had no clue what it meant :)
On a RHEL4, what is required is this:
/etc/sysconfig/saslauthd:
MECH=rimap
FLAGS="-O 127.0.0.1 -r"The -r was required so a username like "user@realm" is forwarded verbatim to dovecot. The -O option is the new way to specify the IMAP hostname/ip, this used to be -H. You can debug using -d.
Also I had to change the saslauthd conf-file as used by postfix:
/usr/lib64/sasl/smtpd.conf
saslauthd_version: 2
pwcheck_method: saslauthd
mech_list: plain loginand /etc/lib64/sasl2/smtpd.conf pwcheck_method: saslauthd mech_list: plain login
The previous method I used was auxprop, but that seemed to interfere with rimap.
I'd be happy to receive feedback about this, as I'm not sure if all these changes were necessary. Other improvements are welcomed as well :)
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [all I want is a warm bed and a kind word and unlimited power]
Gerard Seibert writes:
On Saturday 16 September 2006 13:46, Dag Wieers wrote:
But I found a workaround, apparently authsasld is able to authenticate against dovecot IMAP using 'rimap' authentication mechanism. Sadly this means I have to enable PLAIN IMAP password authentication in dovecot.
Where did you find the documentation for 'rimap'? I might like to look into it also.
man saslauthd
I've used this method in the past to get exim to use saslauthd to authenticate SMTP connections. I found it too messy for my taste. These days, I tend to keep user accounts (even if it is just 20) in mysql. That way, exim (or postfix), dovecot (or courier-imap), apache and pure-ftpd can all make use of the same user database, and I can easily move between postfix and exim, or courier-imap and dovecot, depending on my mood :)
Adding and removing users is made trivial by tools such as PhpMyAdmin.
-- Anand
On Sat, 16 Sep 2006, Anand Buddhdev wrote:
Gerard Seibert writes:
On Saturday 16 September 2006 13:46, Dag Wieers wrote:
But I found a workaround, apparently authsasld is able to authenticate against dovecot IMAP using 'rimap' authentication mechanism. Sadly this means I have to enable PLAIN IMAP password authentication in dovecot.
Where did you find the documentation for 'rimap'? I might like to look into it also.
man saslauthd
I've used this method in the past to get exim to use saslauthd to authenticate SMTP connections. I found it too messy for my taste. These days, I tend to keep user accounts (even if it is just 20) in mysql. That way, exim (or postfix), dovecot (or courier-imap), apache and pure-ftpd can all make use of the same user database, and I can easily move between postfix and exim, or courier-imap and dovecot, depending on my mood :)
Adding and removing users is made trivial by tools such as PhpMyAdmin.
I agree with you in general, but complexity can be looked at from different viewpoints. I did not want to introduce another dependency and the filesystem already was a dependency, mysql was not :)
But I agree that mysql (or another database, or ldap) in general offers much more flexibility for management and in most cases is a better approach.
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [all I want is a warm bed and a kind word and unlimited power]
On Saturday 16 September 2006 08:56, Dag Wieers wrote:
I know that postfix 2.3 can use dovecot directly for sasl authentication, and that would be a neat solution, but we're stuck with postfix 2.2.
You, of all people, stuck?!?! How could that be?
I used several of your RPMs (thanks!) to improve a RHEL4 machine. You didn't have a Postfix 2.3 RPM, but I got the SRPM from Simon Mudd. There was simply no way I would accept an artificial limit on software versions, doing things the hard way, when Wietse and Timo have already solved those problems.
Postfix 2.3 on RHEL4 is working nicely with Dovecot SASL.
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: headerOn Sat, 16 Sep 2006, /dev/rob0 wrote:
On Saturday 16 September 2006 08:56, Dag Wieers wrote:
I know that postfix 2.3 can use dovecot directly for sasl authentication, and that would be a neat solution, but we're stuck with postfix 2.2.
You, of all people, stuck?!?! How could that be?
I used several of your RPMs (thanks!) to improve a RHEL4 machine. You didn't have a Postfix 2.3 RPM, but I got the SRPM from Simon Mudd. There was simply no way I would accept an artificial limit on software versions, doing things the hard way, when Wietse and Timo have already solved those problems.
Postfix 2.3 on RHEL4 is working nicely with Dovecot SASL.
But you loose support from Red Hat (or CentOsS) and every customization makes you drift away from a certain standard. So you have different arguments for or against a change from the standard and some things weigh up more than others.
Luckily I'm happy with the saslauthd rimap solution without needing to move postfix from supported (think: security assessment and security updates) to unsupported. Even though they both probably work fine and there may not be any security problems, ever :)
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [all I want is a warm bed and a kind word and unlimited power]
participants (5)
-
/dev/rob0
-
Anand Buddhdev
-
Dag Wieers
-
Gerard Seibert
-
Jan Kundrát