Hi,
I am using SMTP-AUTH over TLS with sendmail, to allow remote users to
authenticate and send mail via my server, and this uses saslauthd to
authenticate users.
I have set up saslauthd with the "MECH=rimap" mechanism, so it uses
the
local IMAP server, Dovecot, for authentication.
I want to do this because Dovecot is set up to use /etc/passwd for user
credentials (so I don't have multiple password files to manage), and
Dovecot handles restricting the range of valid UIDs (including blocking
root). (Using the default MECH=shadow with saslauthd allows all users to
authenticate, which I don't want)
For real "normal" users, this all works fine - right password = user
can
relay mail, wrong password = relaying denied. So far so good.
If I try to authenticate as root (which I want NEVER to work), with the
wrong password, Dovecot correctly refuses to allow root IMAP access and
saslauthd/sendmail denies the relay.
But if I try to authenticate as root with the correct password (which I
still want NOT to work!), Dovecot still refuses IMAP access, and puts
this in the maillog:
Oct 5 14:16:18 hadrian dovecot: Logins with UID 0 not permitted (user root)
Oct 5 14:16:18 hadrian imap-login: Internal login failure: root [127.0.0.1]
But saslauthd seems to treat this as a successful authentication and
still allows root to relay email!
So: Dovecot problem or saslauthd problem?
Server is running CentOS 4.1, fully patched. Packages are
dovecot-0.99.11-2.EL4.1, cyrus-sasl-2.1.19-5.EL4, sendmail-8.13.1-2.
Thanks
Andrew