[SOLVED] A question about dovecot authentication...

trist007 · 03-16-2011, 01:04 AM

I'm running Slackware 13.0. I have cyrus SASL2 installed as well as Postfix 2.6. I have saslauthd running shadow for my system users. I use auth plain. I'm just experimenting so I will probably go with md5 digest later on Anybody know the exact reason why slack didn't go for PAM, I've always been interested to know the reason why. Anyhow postfix with sasl works great for allowing remote users to login to postfix server to relay mail out. I added in /usr/local/lib/sasl2/smtpd.conf with the appropriate lines. And of course, testsaslauthd successfully authenticates my test user.

Anyhow, I want to host pop and imap servers for these system users. I thought about using dovecot. Installed it. I definitely want to use auth plain and have shadow be the passwd db. So here is where I'm confused. I see several articles on how to use dovecot's own SASL. But I want to use Cyrus sasl instead. I can't seem to locate any good articles on setting up Cyrus sasl for dovecot. I'm thinking I need a configuration file similar to /usr/local/lib/sasl2/smtpd.conf. Anyhow, I have dovecot.conf setup to use shadow and auth plain. I set ssl_disable = yes and disble_plaintest_auth = no. Is this auth plain where it encodes my password into base64 or is it just really plain text? So I start the imap server. I try to login as my test user by using nc -v localhost 143. I do 'a login user password' but I get an instant bye.
In stdout

Code:

* BYE Internal login failure. Refer to server log for more information.

In /var/log/maillog

Code:

Mar 16 00:39:37 hostname dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=<user@domain.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

I don't really need all the features of dovecot, so I figure I may as well try out /usr/bin/imapd and /usr/bin/ipop3d. I enabled these guys in rc.inetd and they work like a charm. Do these guys uses Cyrus sasl at all? or do they just connect directly to the/etc/shadow file for authentication? I'm guessing they use Cyrus sasl. Are they using plaintext or is it base64? Is there any way to add ssl to these guys? I guess I can use stunnel.

Anyhow, these inetd guys will definitely do the job. However, I would still like to understand and get Cyrus sasl to work with dovecot. And if not I'll give into dovecot's sasl and try it out. Can you guys point me in the right direction.

audriusk · 03-16-2011, 08:26 AM

I'm using dovecot 1.2.x on my VPS with Slackware 12.0 (without cyrus-sasl, though it is used by sendmail). Not sure if this is what you're looking for, but at least I can assure you that auth is working alright.

I have configured it long time ago and don't remember the exact steps, so bear with me.

Here's the part of my dovecot config file:

Code:

disable_plaintext_auth = yes

# I'm using POP3S only.
protocols = pop3s

# Cert files.
ssl_cert_file = /etc/mail/certs/smtp.cert.pem
ssl_key_file = /etc/mail/certs/smtp.key.pem

auth default {
  mechanisms = plain
  passdb shadow {
  }
  userdb passwd {
  }
  user = root
}

As you can see, authentication is done via TLS using plain text mechanism. You can test it by using the following command:

Code:

openssl s_client -connect localhost:pop3s

In my case I get "+OK Dovecot ready."

My certificate was issued by CAcert (they issue free certs).

Hope this helps.

trist007 · 03-16-2011, 08:48 AM

Ah I was missing the userdb passwd part. Awesome, thanks a lot, great help.