can dovecot run as a general sasl service for other apps? such as webdav.
Thanks.
Am 08.12.22 um 06:14 schrieb justina colmena ~biz:
On Wednesday, December 7, 2022 7:53:43 PM AKST, Henry R wrote:
can dovecot run as a general sasl service for other apps? such as webdav.
Thanks.
For some reason I use cyrus-sasl with postfix, but I can't get it to work with dovecot. Ideas? Pointers to docs online?
usally its more easy to configure dovecot,postfix with a database like mysql, mysql auth with i.e apache should be easy then
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
I suppose. Essentially create a database table and supply a custom SQL query for authentication. Program a PHP web form with a token to reset user password with a recovery email, etc. Postgres/nginx should be just as easy as mysql/apache. --
On Wednesday, December 7, 2022 10:48:27 PM AKST, Robert Schetterer wrote:
Am 08.12.22 um 06:14 schrieb justina colmena ~biz:
On Wednesday, December 7, 2022 7:53:43 PM AKST, Henry R wrote:
can dovecot run as a general sasl service for other apps? such as webdav.
Thanks.
For some reason I use cyrus-sasl with postfix, but I can't get it to work with dovecot. Ideas? Pointers to docs online?
usally its more easy to configure dovecot,postfix with a database like mysql, mysql auth with i.e apache should be easy then
On 12/7/22 21:53, Henry R wrote:
can dovecot run as a general sasl service for other apps? such as webdav.
I am using dovecot to provide authentication for postfix submission. This is the config in postfix:
smtpd_sasl_type = dovecot # Referring to /var/spool/postfix/private/auth smtpd_sasl_path = private/auth
In /etc/dovecot/conf.d/10-master.conf I have this:
unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix }
If the application supports using a socket for sasl, then I would imagine that Dovecot should work.
Postfix is using the same postfixadmin database for email addresses that Dovecot is, but for authentication, it's all Dovecot.
I should probably look into Dovecot's submission support so I don't need to have postfix using that auth socket, just haven't found the time.
Thanks, Shawn
So this should allow postfix to piggyback on top of whatever dovecot auth is being used.
On Thursday, December 8, 2022 4:49:06 AM AKST, Shawn Heisey wrote:
On 12/7/22 21:53, Henry R wrote:
can dovecot run as a general sasl service for other apps? such as webdav.
I am using dovecot to provide authentication for postfix submission. This is the config in postfix:
smtpd_sasl_type = dovecot # Referring to /var/spool/postfix/private/auth smtpd_sasl_path = private/auth
In /etc/dovecot/conf.d/10-master.conf I have this:
unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix }
If the application supports using a socket for sasl, then I would imagine that Dovecot should work.
Postfix is using the same postfixadmin database for email addresses that Dovecot is, but for authentication, it's all Dovecot.
I should probably look into Dovecot's submission support so I don't need to have postfix using that auth socket, just haven't found the time.
Thanks, Shawn
Okay. Let's try this. With the snippet you posted from "/etc/dovecot/conf.d/10-master.conf " inside the "service auth {...}" section.
This is from my "/etc/postfix/master.cf"
submission inet n - n - - smtpd # -o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous
On Thursday, December 8, 2022 4:49:06 AM AKST Shawn Heisey wrote:
On 12/7/22 21:53, Henry R wrote:
can dovecot run as a general sasl service for other apps? such as webdav.
I am using dovecot to provide authentication for postfix submission. This is the config in postfix:
smtpd_sasl_type = dovecot # Referring to /var/spool/postfix/private/auth smtpd_sasl_path = private/auth
In /etc/dovecot/conf.d/10-master.conf I have this:
unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix }
If the application supports using a socket for sasl, then I would imagine that Dovecot should work.
Postfix is using the same postfixadmin database for email addresses that Dovecot is, but for authentication, it's all Dovecot.
I should probably look into Dovecot's submission support so I don't need to have postfix using that auth socket, just haven't found the time.
Thanks, Shawn
Yes,
we are using dovecot, also, for SASL only as authentication provider.
Here some relevants parts of the configuration:
# probably not necessary but dovecot requires it so i set it to /tmp/
mail_location = maildir:/tmp/%u/Maildir:INDEX=memory
# setup a mysql database with your users and password passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql }
userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql }
# here is the most important part, with this you can query SASL via port "12345" or via socket service auth { inet_listener { port = 12345 } unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } }
# SASL don't support SSL ssl = no
Ciao
Il 08/12/22 05:53, Henry R ha scritto:
can dovecot run as a general sasl service for other apps? such as webdav.
Thanks.
-- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice
good to know. thanks a lot.
Yes,
we are using dovecot, also, for SASL only as authentication provider.
Here some relevants parts of the configuration:
# probably not necessary but dovecot requires it so i set it to /tmp/
mail_location = maildir:/tmp/%u/Maildir:INDEX=memory
# setup a mysql database with your users and password passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql }
userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql }
# here is the most important part, with this you can query SASL via port "12345" or via socket service auth { inet_listener { port = 12345 } unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } }
# SASL don't support SSL ssl = no
Ciao
Il 08/12/22 05:53, Henry R ha scritto:
can dovecot run as a general sasl service for other apps? such as webdav.
Thanks.
-- Alessio Cecchi Postmaster @ http://www.qboxmail.it/ https://www.linkedin.com/in/alessice
https://doc.dovecot.org/configuration_manual/authentication/sql/#password-ve...
Perfect. However on Postfix it is more finicky.
https://www.postfix.org/SASL_README.html#auxprop_sql
Tip If you must store encrypted passwords, you cannot use the sql auxprop plugin. Instead, see section "Using saslauthd with PAM", and configure PAM to look up the encrypted passwords with, for example, the pam_mysql module. You will not be able to use any of the methods that require access to plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-MD5.
On Thursday, December 8, 2022 10:17:11 AM AKST, Alessio Cecchi wrote:
Yes,
we are using dovecot, also, for SASL only as authentication provider.
Here some relevants parts of the configuration:
# probably not necessary but dovecot requires it so i set it to /tmp/
mail_location = maildir:/tmp/%u/Maildir:INDEX=memory
# setup a mysql database with your users and password passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql }
userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql }
# here is the most important part, with this you can query SASL via port "12345" or via socket service auth { inet_listener { port = 12345 } unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } }
# SASL don't support SSL ssl = no
Ciao
Il 08/12/22 05:53, Henry R ha scritto:
can dovecot run as a general sasl service for other apps? such as webdav.
Thanks.
On 2022-12-07 20:53, Henry R wrote:
can dovecot run as a general sasl service for other apps? such as webdav.
Thanks.
Almost anything can use dovecot (or any other system) as an authentication SASL service, but it is the 'gotchas' that you have to think about.
- Does this open your SASL mechanism to new brute force attacks?
- How do you pass additional information to the SASL, eg country of origin, IP Address
- How do you pass 2FA through?
- Rate Limiting?
- What about policies such as the use of TOR Proxies?
- Will this create excessive demand on dovecot?
On the surface, the authentication part is the most simple. However, you might want to consider connecting directly to the underlying mechanism that your dovecot is using. With a middle layer of course, that addresses all of the other issues.
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
participants (6)
-
Alessio Cecchi
-
Henry R
-
justina colmena ~biz
-
Michael Peddemors
-
Robert Schetterer
-
Shawn Heisey