It should also be mentioned that dovecot can act as a SMTP relay in
"front" of Postfix (or any other MTA) and handle the authentication part
of the transaction. This of course implies use of the dovecot
authentication machinery for mail submissions. I don't know much about
it beyond it's existence so I'll leave others to speak to it's merits. I
chose the "decoupled" configuration personally.
On 9/05/2023 6:51 pm, Sean Gallagher wrote:
postfix can use LDAP for authentication (i.e. SASL) and for
validation("ldap" table).
As best I can tell, postfix cannot use dovecot to validate addresses,
if you want that you will need postfix to talk directly to ldap.
GOTCHA: use the "postconf -m" command to check that the "ldap" table
is available in your distro - it wasn't in mine (Alpine).
For authentication, postfix can use smtpd_sasl_type = "cyrus" or
"dovecot". "cyrus" uses the saslauthd authentication daemon from the
Cyrus mail package and "dovecot" uses the dovecot/auth daemon. These
options are much more similar that they might seem. Both are a thin
layer over the OpenLDAP libldap library. Postfix can talk to either
auth daemon over a Unix domain socket or in the Dovecot case, over an
IP socket with a simple proprietary protocol. The protocols they speak
are different but very similar - they achieve the same thing.
Use "postconf -a" command to check which authentication types are
available in your distro.
Computationally speaking, there probably isn't that much difference.
For my system, I chose not to use the dovecot SASL in Postfix for
various reasons but mostly to remove dependencies between the
packages. This way I could "switch out" either package if required and
avoid too much pain..
That's my 2 cents.
On 9/05/2023 5:30 pm, dovecot--- via dovecot wrote:
The question about best practices was more a conceptual one. Should
dovecot and postfix talk independently to the LDAP database? Or
should dovecot be the gateway for postfix to get the information out
of the LDAP database?
Just my 2 cents, id have postfix talk directly to LDAP to see if a
user is valid for accepting mail. Having it go through dovecot is
just adding extra moving parts and overhead. Cut out the middle man
since postfix would be talking to the same "database" that dovecot
would. Why give dovecot more work?
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
