[Dovecot] [Postfix] SASL Auth. using Dovecot with password forwarding proxy configuration
Hi,
I'm relatively new to Dovecot and I did a bit of search but couldn't find a possible solution for the particular setup I'm working on. Basically I have an SMTP/POP/IMAP proxy setup running Postfix & Dovecot. IMAP/POP authentication is done using the password proxy feature, where the login credentials are passed to the backend server after a db lookup, which does the actual authentication. The POP/IMAP part is working fine. What I'm trying to do is to use Dovecot SASL implementation in Postfix to do SMTP authentication in a similar manner. The problem I have with my current configuration is that SMTP authentication succeeds if only the username matches, because password forwarding works if the authentication succeeds with any given password, as documented at http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy My question is, given the above: is there a way to get SMTP authentication properly in this scenario? The way I see it now, Dovecot SASL accepting the login if only the user matches isn't quite "complete", the auth process should go further and authenticate against the backend server, same as for POP/IMAP connections. Does this requirement make any sense? Maybe I'm missing something in Dovecot configuration to get the SMTP authentication work in password forwarding mode, few pointers will be highly appreciated. PopBSMTP is not an sensible alternative in my case. Here's my configuration, plus some dovecot auth_debug log entries. As you can see, SMTP authentication succeeds with any given password.
---Dovecot---
dovecot -n # 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-279.2.1.el6.centos.plus.x86_64 x86_64 CentOS release 6.3 (Final) auth_cache_size = 4 k auth_debug = yes auth_debug_passwords = yes auth_verbose = yes auth_verbose_passwords = plain mbox_write_locks = fcntl passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl_ca =
grep -v "^$\|^#" /etc/dovecot/dovecot-sql.conf.ext driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=postfixpassword password_query = SELECT NULL AS password, 'Y' as nopassword, host, email, 'Y' AS proxy FROM mailbox WHERE email = '%u'
---Dovecot---
---Postfix---
smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
---Postfix---
---/var/log/maillog---
(IMAP connection) Aug 31 11:20:20 centos6 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011lip=192.168.1.222#011rip=192.168.1.56#011lport=993#011rport=44024#011resp=AGFAMGFkaXRlc3QubmV0ADEyM3F3ZVpYQw== Aug 31 11:20:20 centos6 dovecot: auth: Debug: cache(a@0aditest.net,192.168.1.56): miss Aug 31 11:20:20 centos6 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Aug 31 11:20:20 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Aug 31 11:20:21 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so Aug 31 11:20:21 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Aug 31 11:20:21 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so Aug 31 11:20:21 centos6 dovecot: auth: mysql: Connected to /var/lib/mysql/mysql.sock (postfix) Aug 31 11:20:21 centos6 dovecot: auth: Debug: sql(a@0aditest.net,192.168.1.56): query: SELECT NULL AS password, 'Y' as nopassword, host, email, 'Y' AS proxy FROM mailbox WHERE email = 'a@0aditest.net' Aug 31 11:20:21 centos6 dovecot: auth: Debug: client out: OK#0111#011user=a@0aditest.net#011host=BACKEND_SERVER_IP#011email=a@0aditest.net#011proxy#011pass=1234567890 Aug 31 11:20:21 centos6 dovecot: imap-login: Debug: Ignoring unknown passdb extra field: email Aug 31 11:20:21 centos6 dovecot: imap-login: proxy(a@0aditest.net): started proxying to BACKEND_SERVER_IP:143: user=a@0aditest.net, method=PLAIN, rip=192.168.1.56, lip=192.168.1.222, TLS [...]
(SMTP connection) Aug 31 11:36:14 centos6 postfix/smtpd[11213]: connect from unknown[192.168.1.200] Aug 31 11:36:14 centos6 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so Aug 31 11:36:14 centos6 dovecot: auth: Debug: auth client connected (pid=11213) Aug 31 11:36:14 centos6 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=192.168.1.222#011rip=192.168.1.200#011resp=AGFAMGFkaXRlc3QubmV0AGFzZA== Aug 31 11:36:14 centos6 dovecot: auth: Debug: cache(a@0aditest.net,192.168.1.200): miss Aug 31 11:36:14 centos6 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so Aug 31 11:36:14 centos6 dovecot: auth: mysql: Connected to /var/lib/mysql/mysql.sock (postfix) Aug 31 11:36:14 centos6 dovecot: auth: Debug: sql(a@0aditest.net,192.168.1.200): query: SELECT NULL AS password, 'Y' as nopassword, host, email, 'Y' AS proxy FROM mailbox WHERE email = 'a@0aditest.net' Aug 31 11:36:14 centos6 dovecot: auth: Debug: client out: OK#0111#011user=a@0aditest.net#011host=203.63.79.87#011email=a@0aditest.net#011proxy#011pass=anygivenpassword Aug 31 11:36:14 centos6 postfix/smtpd[11213]: C9620600A9: client=unknown[192.168.1.200], sasl_method=PLAIN, sasl_username=a@0aditest.net Aug 31 11:36:14 centos6 postfix/cleanup[11219]: C9620600A9: message-id=20120831113614.72ed32df@adi.ddns.local [...]
---/var/log/maillog---
-- Adi Pircalabu
On 31.8.2012, at 5.51, Adi Pircalabu wrote:
I'm relatively new to Dovecot and I did a bit of search but couldn't find a possible solution for the particular setup I'm working on. Basically I have an SMTP/POP/IMAP proxy setup running Postfix & Dovecot. IMAP/POP authentication is done using the password proxy feature, where the login credentials are passed to the backend server after a db lookup, which does the actual authentication.
POP/IMAP logs the user in and Dovecot proxies it.
The POP/IMAP part is working fine. What I'm trying to do is to use Dovecot SASL implementation in Postfix to do SMTP authentication in a similar manner. The problem I have with my current configuration is that SMTP authentication succeeds if only the username matches, because password forwarding works if the authentication succeeds with any given password, as documented at http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy
Dovecot has no SMTP proxy (currently). And anyway Postfix doesn't use SMTP to do authentication, Postfix authenticates using Dovecot's internal protocol, which replies that Postfix should do the proxying, which it of course doesn't do.
My question is, given the above: is there a way to get SMTP authentication properly in this scenario?
Make Postfix authenticate against the backend Dovecot server. You'll need to setup service auth { inet_listener } to some port for it.
On Fri, 31 Aug 2012 17:11:07 +0300 Timo Sirainen tss@iki.fi wrote:
The POP/IMAP part is working fine. What I'm trying to do is to use Dovecot SASL implementation in Postfix to do SMTP authentication in a similar manner. The problem I have with my current configuration is that SMTP authentication succeeds if only the username matches, because password forwarding works if the authentication succeeds with any given password, as documented at http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy
Dovecot has no SMTP proxy (currently). And anyway Postfix doesn't use SMTP to do authentication, Postfix authenticates using Dovecot's internal protocol, which replies that Postfix should do the proxying, which it of course doesn't do.
Yes, I know and that's exactly what I was trying to do: use Dovecot authentication method in Postfix to authenticate the user. Because of the fact that Dovecot doesn't do SMTP authentication, I was thinking of a way of using its authentication service by getting the SMTP login credentials from the backend POP/IMAP server. The request may sound a bit unusual, but in our case it makes sense. For our setup we currently run:
- a farm of backend SMTP/POP/IMAP servers that are hosting the mailboxes and where the user credentials are managed. They are running Courier IMAP.
- a group of SMTP/POP/IMAP proxies. These proxies are currently replicating the login credentials from the backend servers and the routing to the backends using a local database. Perdition is currently the POP/IMAP proxy, but having it replaced with Dovecot would help us in getting the password forwarding to the backends running, which means we wouldn't need to store the credentials on the proxy, only the user->host routing entries. Are there any plans to have Dovecot authentication service to do SMTP authentication against IMAP or POP3 proxy provided information? This, of course, means we'd have the authentication result tied to the response of the backend IMAP/pop3 server.
My question is, given the above: is there a way to get SMTP authentication properly in this scenario?
Make Postfix authenticate against the backend Dovecot server. You'll need to setup service auth { inet_listener } to some port for it.
The POP/IMAP backends are running Courier IMAP, as I've just mentioned and due to the existing hosting environment it's very unlikely to replace it with something else.
-- Adi Pircalabu, System Administrator Discount Domain Name Services Pty Ltd, a Total Internet Company PO Box 887, Hawthorn Vic 3122, Australia, T +61 3 9815 6868 Ask me about cloud hosting services
On 3.9.2012, at 2.41, Adi Pircalabu wrote:
Are there any plans to have Dovecot authentication service to do SMTP authentication against IMAP or POP3 proxy provided information? This, of course, means we'd have the authentication result tied to the response of the backend IMAP/pop3 server.
I don't see any clean way of doing that.
My question is, given the above: is there a way to get SMTP authentication properly in this scenario?
Make Postfix authenticate against the backend Dovecot server. You'll need to setup service auth { inet_listener } to some port for it.
The POP/IMAP backends are running Courier IMAP, as I've just mentioned and due to the existing hosting environment it's very unlikely to replace it with something else.
Maybe use IMAP authentication as the backend? pam_imap at least can do that. Or you can already also use Dovecot v2.1's passdb imap to do this, pretty much equivalent to pam_imap.
Den 2012-09-03 01:47, Timo Sirainen skrev:
Maybe use IMAP authentication as the backend? pam_imap at least can do that. Or you can already also use Dovecot v2.1's passdb imap to do this, pretty much equivalent to pam_imap.
drop pam, and use saslauthd with remote imap, or setup cyrus sasl with sql/ldap/whatever one needs, just in case one more ask why i did not use dovecot :)
On Mon, 03 Sep 2012 01:55:21 +0200 Benny Pedersen me@junc.org wrote:
Den 2012-09-03 01:47, Timo Sirainen skrev:
Maybe use IMAP authentication as the backend? pam_imap at least can do that. Or you can already also use Dovecot v2.1's passdb imap to do this, pretty much equivalent to pam_imap.
I had a look at pam_imap and had to fix the spec file to get it built for CentOS 6 64bit. For the record, I had to add the following in the %build section: export CFLAGS="%{optflags} -fPIC" export CXXFLAGS="%{optflags} -fPIC" However:
drop pam, and use saslauthd with remote imap, or setup cyrus sasl with sql/ldap/whatever one needs
Yep, saslauthd with rimap appears to be exactly what I need.
just in case one more ask why i did not use dovecot :)
The password forwarding feature is one of the reasons I started looking into Dovecot.
Thanks to you both for your help.
-- Adi Pircalabu, System Administrator
participants (3)
-
Adi Pircalabu
-
Benny Pedersen
-
Timo Sirainen