[Dovecot] Postfix SASL AUTH from Dovecot

Dan Stromberg strombrg at dcs.nac.uci.edu
Tue Jun 1 23:26:15 EEST 2004


Just guessing from my armchair here, but I believe I heard Wietse (of
postfix and tcp wrappers fame) wasn't willing to include SMTP AUTH
patches into postfix, because SASL was too large and unaudited.

If you have something that allows authenticated SMTP for postfix via
dovecot, and it's not a huge gob of unaudited code, you might be onto
something really nice - particularly if the changes can be included in
the postfix (or dovecot?) baseline so people don't have to patch, and
repatch, and hope patching continues to work.


On Mon, 2004-05-31 at 09:12, Timo Sirainen wrote:
> On Mon, 2004-05-31 at 15:47, Farkas Levente wrote:
> > my main question here (as always) why we need sasl at all?
> > what is the main pros for sasl?
> > I've never seen any good reason.
> 
> SMTP AUTH is done with SASL, so IP-address restrictions and
> POP/IMAP-before-SMTP are the only alternatives.
> 
> SASL is really just a list of requirements for an authentication
> mechanism to be SASL compatible. There are plaintext SASL mechanisms
> (PLAIN, LOGIN) which are commonly used with SMTP authentication.
> 
> When talking about SASL library it usually does much more than just
> implement the few SASL mechanisms. It has to know how to verify the
> passwords and where to find user's home directory etc. dovecot-auth for
> example consists of:
> 
> # user/password databases (pam, ldap, sql, ..)
> ~/cvs/dovecot/src/auth% wc -l db-*.c|tail -1
>   975 total
> ~/cvs/dovecot/src/auth% wc -l userdb*.c|tail -1
>   881 total
> ~/cvs/dovecot/src/auth% wc -l passdb*.c|tail -1
>  1497 total
> # password matching functions (crypt, md5, ..)
> ~/cvs/dovecot/src/auth% wc -l password*.c|tail -1
>   475 total
> # sasl authentication mechanisms
> ~/cvs/dovecot/src/auth% wc -l mech-*.c
>    82 mech-anonymous.c
>   251 mech-cram-md5.c
>   250 mech-cyrus-sasl2.c
>   652 mech-digest-md5.c
>   136 mech-plain.c
>  1371 total
> 
> Only the mech-*.c files are SASL mechanism specific code. ANONYMOUS
> could be done pretty much by sending username "anonymous" and empty
> password. CRAM-MD5 and DIGEST-MD5 aren't really useful if SSL is being
> used, except with them server never sees the plaintext password. What
> could actually be very useful are Kerberos and OTP mechanisms, if
> someone just implemented them.
> 
> > anyway why do you use dovecot-auth for postfix? postfix has many 
> > authentication mechanism for everything.
> 
> AFAIK Postfix uses only Cyrus SASL library for authentication, it hasn't
> implemented anything internally and it doesn't support any other library
> (and there aren't many). And Cyrus SASL was the thing I've always
> disliked.
> 
> It also means less configuration.
-- 
Dan Stromberg DCS/NACS/UCI <strombrg at dcs.nac.uci.edu>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20040601/a7e7a088/attachment-0001.bin>


More information about the dovecot mailing list