[Dovecot] saslauthd/dovecot/root

[Andrew Instone-Cowie]

Hi,

I am using SMTP-AUTH over TLS with sendmail, to allow remote users to 
authenticate and send mail via my server, and this uses saslauthd to 
authenticate users.

I have set up saslauthd with the "MECH=rimap" mechanism, so it uses the 
local IMAP server, Dovecot, for authentication.

I want to do this because Dovecot is set up to use /etc/passwd for user 
credentials (so I don't have multiple password files to manage), and 
Dovecot handles restricting the range of valid UIDs (including blocking 
root). (Using the default MECH=shadow with saslauthd allows all users to 
authenticate, which I don't want)

For real "normal" users, this all works fine - right password = user can 
relay mail, wrong password = relaying denied. So far so good.

If I try to authenticate as root (which I want NEVER to work), with the 
wrong password, Dovecot correctly refuses to allow root IMAP access and 
saslauthd/sendmail denies the relay.

But if I try to authenticate as root with the correct password (which I 
still want NOT to work!), Dovecot still refuses IMAP access, and puts 
this in the maillog:

Oct  5 14:16:18 hadrian dovecot: Logins with UID 0 not permitted (user root)
Oct  5 14:16:18 hadrian imap-login: Internal login failure: root [127.0.0.1]

But saslauthd seems to treat this as a successful authentication and 
still allows root to relay email!

So: Dovecot problem or saslauthd problem?

Server is running CentOS 4.1, fully patched. Packages are 
dovecot-0.99.11-2.EL4.1, cyrus-sasl-2.1.19-5.EL4, sendmail-8.13.1-2.

Thanks
Andrew