Dovecot and remote SASL Client via TLS
Hello,
Is it possible to configure Dovecot as SASL client for central authentication (also remotely via TCP/TLS)?
Following use case: IMAP server (host 1) <=> Windows Domain Controller and /etc/shadow authenticator via pam (host2)
Should work as: IMAP server (host 1) <=> SASL Client via TLS <=> Network <=> SASL Server via TLS <=> Local SASL via pam <=> Windows Domain Controller and /etc/shadow authenticator via pam (host2)
Thank you.
Ciao, Gerhard
On 29.06.2014 07:53, Gerhard Wiesinger wrote:
Hello,
Is it possible to configure Dovecot as SASL client for central authentication (also remotely via TCP/TLS)?
Following use case: IMAP server (host 1) <=> Windows Domain Controller and /etc/shadow authenticator via pam (host2)
Should work as: IMAP server (host 1) <=> SASL Client via TLS <=> Network <=> SASL Server via TLS <=> Local SASL via pam <=> Windows Domain Controller and /etc/shadow authenticator via pam (host2)
Any comments?
Thank you.
Ciao, Gerhard
Hello,
Anyone interested, I solved it the following way: imap server: dovecot <=> /bin/saslcheckpassword <=> local unix domain socket for saslauthd <=> socat client ^ = Remote TLS connection v auth server: socat server <=> saslauthd <=> /etc/passwd,/etc/shadow
saslcheckpassword is based on checkpassword.sh and enhanced for SASL, modified version attached: https://bitbucket.org/vizovitin/dovecot-conf-examples/src/tip/checkpassword-...
Detailed configs below.
imap server: touch /var/log/dovecot-saslcheckpassword.log chown dovecot.dovecot /var/log/dovecot-saslcheckpassword.log chmod 750 /var/log/dovecot-saslcheckpassword.log
Advantage is single authentication entity.
Works well for me for some time now.
If you have some questions feel free to ask.
Ciao, Gerhard
================================================================================================================================================================ IMAP server, SASL client: cat /etc/systemd/system/multi-user.target.wants/saslclient.service [Unit] Description=SASL remote client for authentication, provides local unix domain socket After=network.target
[Service] # Must be running under permissions for the dovecot user! ExecStart=/usr/bin/socat -4 -ly UNIX-LISTEN:/var/run/saslauthd/mux,fork,user=dovecot,group=dovecot 'OPENSSL:myserver:1234,verify=1,method=TLSv1,cipher=DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5,cafile=/etc/socat/mycert.crt'
[Install] WantedBy=multi-user.target
Auth server: cat /etc/systemd/system/multi-user.target.wants/saslserver.service [Unit] Description=SASL remote server for authentication After=network.target
[Service] ExecStart=/usr/bin/socat -4 -ly 'OPENSSL-LISTEN:9999,reuseaddr,fork,verify=0,method=TLSv1,cipher=DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5,cert=/etc/socat/mycert.pem,cafile=/etc/socat/mycert.crt' /var/run/saslauthd/mux
[Install] WantedBy=multi-user.target
Relevant dovecot config: userdb { args = username_format=%n /etc/dovecot/users driver = passwd-file }
passdb { args = /bin/saslcheckpassword driver = checkpassword }
On 16.07.2014 15:50, Gerhard Wiesinger wrote:
Any comments?
Thank you.
Ciao, Gerhard
participants (1)
-
Gerhard Wiesinger