Hi Is it possible to secure the Dovecot SASL auth provider for postfix? https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL I'm currently using the inet option to provide SASL auth to postfix for dovecot. Both installs are on different hosts hence the use of inet rather than unix socket. I'm looking for the best way to secure this channel (rather than just assuming the VLAN is secure ) ,e.g. TLS. It would seem even the latest versions of dovecot/postfix3 don't support encrypting this channel? Has anyone managed to implement a secure internal approach they can share? I'm wondering if Postfix with Cyrus against IMAP using STARTTLS is my best alternative. Thanks Raymond
On 27/09/17 12:07, Raymond Sellars wrote:> Hi > > Is it possible to secure the Dovecot SASL auth provider for postfix? > https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL > > I'm currently using the inet option to provide SASL auth to postfix for dovecot. Both installs are on different hosts hence the use of inet rather than unix socket.Postfix does not support this natively, and I don't think dovecot does either. That said, it should be relatively easy to set up a ssh tunnel or stunnel and push the connection through that. Peter
Hi, Am 27.09.2017 um 01:07 schrieb Raymond Sellars:> Is it possible to secure the Dovecot SASL auth provider for postfix? >I'm using this configuration, which you've suggested.> Has anyone managed to implement a secure internal approach they can share? I'm wondering if Postfix with Cyrus against IMAP using STARTTLS is my best alternative. >My config is: On the dovecot server: service auth { inet_listener{ address=192.0.0.1 port=10001 ssl=yes } } On the postfix server in master.cf: submission inet n - - - - smtpd ... -o smtpd_sasl_path=inet:192.0.0.1:10001 ... And in main.cf: ### SASL via dovecot ### smtpd_sasl_auth_enable = yes smtpd_sasl_path = inet:192.0.0.1:10001 smtpd_sasl_type = dovecot> Thanks > Raymond >Greetings Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20170927/a72efc97/attachment-0001.sig>
Am 27.09.2017 um 09:35 schrieb Thomas Bauer:> On the postfix server in master.cf: > > submission inet n - - - - smtpd > ... > -o smtpd_sasl_path=inet:192.0.0.1:10001 > ...You might use -o smtpd_tls_security_level=encrypt as well, to ensure postfix make use of tls. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20170927/23407042/attachment.sig>
On 27/09/17 20:35, Thomas Bauer wrote:> service auth { > inet_listener{ > address=192.0.0.1 > port=10001 > ssl=yes > } > }ssl=yes is not documented to work for the auth service and it's highly likely that it is simply ignored.> -o smtpd_tls_security_level=encryptThis definitely does not do what you think it does. This setting is for the smtpd server, not the SASL client. It will enforce TLS between the MUA (email client) and postfix. It does not affect the connection between postfix and the dovecot SASL server at all. The only way to encrypt the connection between postfix and dovecot SASL is to use a tunnel. Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20170927/56d62ecf/attachment.sig>