[Dovecot] Dovecot SASL Client support?

Patrick Ben Koetter p at sys4.de
Tue Jan 8 22:17:49 EET 2013

* /dev/rob0 <dovecot at dovecot.org>:
> On Tue, Jan 08, 2013 at 08:59:09AM -0500, Charles Marcus wrote:
> > So that postfix can use dovecot-sasl for remotely authenticating
> > against another SMTP server, ie, for secure relays...
> I don't think this makes sense for Dovecot to implement -- maybe 
> P at rick and/or Timo will correct this if I am wrong.

That's a difficult subject, because I am not the author of Dovecot. So
whatever I say, Timo definitely has the last word on this. But since you
invited me, here are my thoughts:

At the moment Dovecot does not implement an SMTP/LMTP client. This might
change, when Timo decides to implement all of the LEMONADE feature, which at
some point require the IMAP server to edit and send messages on behalf of a
(mobile) client. Timo will shed more light on his plans.

IF that part will be implemented it MAY make sense to add the AUTH capability
to the SMTP/LMTP client, because the receiving SMTP/LMTP server MAY require

IF at that point Dovecot becomes capable to AUTH on the client side, it MAY
share that capability with another program e.g. Postfix.

At the moment Postfix uses a simple IF/THEN mechanism, which is configured in
two columns in and provided via smtp_sasl_password_maps:


If Postfix were to use Dovecot as AUTH service it would have to query Dovecot
for every hosts it contacts. Dovecot would have to know when Postfix would
have to use AUTH, it would have to choose the apropriate SASL mechanism and it
would have to guide Postfix through the mechanisms steps including handing
over the identity when required.

All this to solve a problem that already has been solved.

My personal opinion/preference is:

Use Cyrus SASL when you need SMTP AUTH on a Boundary Server, a Relay or if you
need SASL on the client side.

Use Dovecot SASL if your mail service offers SMTP and also POP/IMAP on the
same system and/or if you combine more roles (mail server, Boundary Server,
Relay, Gateway etc.).

> Server SASL is a natural offshoot of an imapd, because the same 
> credentials are used, and just as with an IMAP client, the imapd 
> merely has to validate the credentials.
> Client SASL is different. The credentials are not necessarily in use 
> by the imapd otherwise, and the job of the client SASL library is to 
> generate the authentication, not to validate it.

recognize, choose and generate.

> I don't expect to see Dovecot providing client SASL.

Neither do I, but it's not upon me to tell. :)

p at rick

[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

More information about the dovecot mailing list