Hi,

I am using SMTP-AUTH over TLS with sendmail, to allow remote users to authenticate and send mail via my server, and this uses saslauthd to authenticate users.

I have set up saslauthd with the "MECH=rimap" mechanism, so it uses the local IMAP server, Dovecot, for authentication.

I want to do this because Dovecot is set up to use /etc/passwd for user credentials (so I don't have multiple password files to manage), and Dovecot handles restricting the range of valid UIDs (including blocking root). (Using the default MECH=shadow with saslauthd allows all users to authenticate, which I don't want)

For real "normal" users, this all works fine - right password = user can relay mail, wrong password = relaying denied. So far so good.

If I try to authenticate as root (which I want NEVER to work), with the wrong password, Dovecot correctly refuses to allow root IMAP access and saslauthd/sendmail denies the relay.

But if I try to authenticate as root with the correct password (which I still want NOT to work!), Dovecot still refuses IMAP access, and puts this in the maillog:

Oct 5 14:16:18 hadrian dovecot: Logins with UID 0 not permitted (user root) Oct 5 14:16:18 hadrian imap-login: Internal login failure: root [127.0.0.1]

But saslauthd seems to treat this as a successful authentication and still allows root to relay email!

So: Dovecot problem or saslauthd problem?

Server is running CentOS 4.1, fully patched. Packages are dovecot-0.99.11-2.EL4.1, cyrus-sasl-2.1.19-5.EL4, sendmail-8.13.1-2.

Thanks Andrew