Michael Tokarev via Postfix-users:
> There's nothing in the docs saying if dovecot sasl can work with
> non-plaintext mechanisms. In almost all docs and examples I've
> found, dovecot side of the config is configured with
> "auth_mechanisms = plain login". There are some vague references
> to usage of other mechanisms, for example
The excuse is that this is separation of duties: Postfix proxies
information between the network and the SASL implementation.
The problem with documenting non-Postfix code is that Postfix
documentation wil always be incomplete and out of date.
> And finally, some SASL mechanisms also provides encryption, like an
> alternative to TLS. Am I right this is not implemented in Postfix?
It is not used for SMTP, therefoire out of scope.
> This SASL thing turned out to be quite complex due to various
> possibilities and restrictions (so much for "simple").
>
>
> This was a big picture / overview part. Now, there's another
> aspect: accessing SASL data/sockets from Postfix. And in this
> context, there are really awful suggestions which are repeated
> in multiple places, especially when postfix is configured to run
> chrooted - like suggestions to move /etc/sasldb2 to /var/spool/postfix/
> and made it rw to postfix:postfix - this feels insane. Adding there
> various libraries and config files for cyrus sasl plugins and other
> "interesting" stuff..
Once more, chroot bites. I wonder how much development effort should
be put into "useful functionality" instead of working around
self-inflicted pain.
> It *feels* like postfix needs some separation of this sasl stuff into
> its own process somehow, similar to how proxymap is done, so that
> eg cyrus sasl code is not linked directly into smtp[d] with all its
> large code. If we don't use sasl-based session encryption, it should
> be relatively easy. This daemon can have its own privileges which
> allows it to work with secrets database without granting access to
> it to whole postfix.
What parts of the libsasl API require root privileges? This is
rather new ot me, 25 years into Postfix SASL support. I thought
that saslauthd provides the privilege separation that is needed
for shared-secret access.
Dovecot AUTH calls are already RPCs and does not need a proxy.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
