Re: sasl service for other app
Okay. Let's try this. With the snippet you posted from "/etc/dovecot/conf.d/10-master.conf " inside the "service auth {...}" section. This is from my "/etc/postfix/master.cf" > submission inet n - n - - smtpd > # -o syslog_name=postfix/submission > > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_sasl_type=dovecot > -o smtpd_sasl_path=private/auth > -o smtpd_sasl_security_options=noanonymous On Thursday, December 8, 2022 4:49:06 AM AKST Shawn Heisey wrote: > On 12/7/22 21:53, Henry R wrote: > > can dovecot run as a general sasl service for other apps? such as webdav. > > I am using dovecot to provide authentication for postfix submission. > This is the config in postfix: > > smtpd_sasl_type = dovecot > # Referring to /var/spool/postfix/private/auth > smtpd_sasl_path = private/auth > > In /etc/dovecot/conf.d/10-master.conf I have this: > >unix_listener /var/spool/postfix/private/auth { > mode = 0666 > user = postfix > group = postfix >} > > If the application supports using a socket for sasl, then I would > imagine that Dovecot should work. > > Postfix is using the same postfixadmin database for email addresses that > Dovecot is, but for authentication, it's all Dovecot. > > I should probably look into Dovecot's submission support so I don't need > to have postfix using that auth socket, just haven't found the time. > > Thanks, > Shawn -- https://justina.abeja.colmena.biz/
Re: sasl service for other app
So this should allow postfix to piggyback on top of whatever dovecot auth is being used. On Thursday, December 8, 2022 4:49:06 AM AKST, Shawn Heisey wrote: On 12/7/22 21:53, Henry R wrote: can dovecot run as a general sasl service for other apps? such as webdav. I am using dovecot to provide authentication for postfix submission. This is the config in postfix: smtpd_sasl_type = dovecot # Referring to /var/spool/postfix/private/auth smtpd_sasl_path = private/auth In /etc/dovecot/conf.d/10-master.conf I have this: unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } If the application supports using a socket for sasl, then I would imagine that Dovecot should work. Postfix is using the same postfixadmin database for email addresses that Dovecot is, but for authentication, it's all Dovecot. I should probably look into Dovecot's submission support so I don't need to have postfix using that auth socket, just haven't found the time. Thanks, Shawn -- https://justina.abeja.colmena.biz/
Re: sasl service for other app
https://doc.dovecot.org/configuration_manual/authentication/sql/#password-verification-by-sql-server Perfect. However on Postfix it is more finicky. https://www.postfix.org/SASL_README.html#auxprop_sql Tip If you must store encrypted passwords, you cannot use the sql auxprop plugin. Instead, see section "Using saslauthd with PAM", and configure PAM to look up the encrypted passwords with, for example, the pam_mysql module. You will not be able to use any of the methods that require access to plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-MD5. On Thursday, December 8, 2022 10:17:11 AM AKST, Alessio Cecchi wrote: Yes, we are using dovecot, also, for SASL only as authentication provider. Here some relevants parts of the configuration: # probably not necessary but dovecot requires it so i set it to /tmp/ mail_location = maildir:/tmp/%u/Maildir:INDEX=memory # setup a mysql database with your users and password passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } # here is the most important part, with this you can query SASL via port "12345" or via socket service auth { inet_listener { port = 12345 } unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } # SASL don't support SSL ssl = no Ciao Il 08/12/22 05:53, Henry R ha scritto: can dovecot run as a general sasl service for other apps? such as webdav. Thanks.
Re: sasl service for other app
On 2022-12-07 20:53, Henry R wrote: can dovecot run as a general sasl service for other apps? such as webdav. Thanks. Almost anything can use dovecot (or any other system) as an authentication SASL service, but it is the 'gotchas' that you have to think about. * Does this open your SASL mechanism to new brute force attacks? * How do you pass additional information to the SASL, eg country of origin, IP Address * How do you pass 2FA through? * Rate Limiting? * What about policies such as the use of TOR Proxies? * Will this create excessive demand on dovecot? On the surface, the authentication part is the most simple. However, you might want to consider connecting directly to the underlying mechanism that your dovecot is using. With a middle layer of course, that addresses all of the other issues. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: sasl service for other app
On 12/7/22 21:53, Henry R wrote: can dovecot run as a general sasl service for other apps? such as webdav. I am using dovecot to provide authentication for postfix submission. This is the config in postfix: smtpd_sasl_type = dovecot # Referring to /var/spool/postfix/private/auth smtpd_sasl_path = private/auth In /etc/dovecot/conf.d/10-master.conf I have this: unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } If the application supports using a socket for sasl, then I would imagine that Dovecot should work. Postfix is using the same postfixadmin database for email addresses that Dovecot is, but for authentication, it's all Dovecot. I should probably look into Dovecot's submission support so I don't need to have postfix using that auth socket, just haven't found the time. Thanks, Shawn
Re: sasl service for other app
I suppose. Essentially create a database table and supply a custom SQL query for authentication. Program a PHP web form with a token to reset user password with a recovery email, etc. Postgres/nginx should be just as easy as mysql/apache. -- On Wednesday, December 7, 2022 10:48:27 PM AKST, Robert Schetterer wrote: Am 08.12.22 um 06:14 schrieb justina colmena ~biz: On Wednesday, December 7, 2022 7:53:43 PM AKST, Henry R wrote: can dovecot run as a general sasl service for other apps? such as webdav. Thanks. For some reason I use cyrus-sasl with postfix, but I can't get it to work with dovecot. Ideas? Pointers to docs online? usally its more easy to configure dovecot,postfix with a database like mysql, mysql auth with i.e apache should be easy then
Re: sasl service for other app
Am 08.12.22 um 06:14 schrieb justina colmena ~biz: On Wednesday, December 7, 2022 7:53:43 PM AKST, Henry R wrote: can dovecot run as a general sasl service for other apps? such as webdav. Thanks. For some reason I use cyrus-sasl with postfix, but I can't get it to work with dovecot. Ideas? Pointers to docs online? usally its more easy to configure dovecot,postfix with a database like mysql, mysql auth with i.e apache should be easy then -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: sasl service for other app
On Wednesday, December 7, 2022 7:53:43 PM AKST, Henry R wrote: can dovecot run as a general sasl service for other apps? such as webdav. Thanks. For some reason I use cyrus-sasl with postfix, but I can't get it to work with dovecot. Ideas? Pointers to docs online?
sasl service for other app
can dovecot run as a general sasl service for other apps? such as webdav. Thanks.