Hideki A. Ikeda (HidekiAI) [池田英紀] ["Tony" Ikeda] – BLog

When setting up Postfix’s authentications, if you are setting up fresh install and/or do not have Cyrus-SASL working, my recommendations are to use Dovecot instead.

If on the other hand, you’ve been persistent and have Cyrus/SASL working, leave it alone, you’ve probably got one of the few systems that are rare but functional and you don’t want to break and/or disturb what is not broken.

Setting up Courier (IMAP and POP3) authentications through MySQL was trivial for PLAIN password schema.  The only hard part I’d imagine is writing your own authmysqlrc in your /etc/courier/authlib folder to query the username/password/uid/gid correctly.  But if you know your way around SQL queries, sooner or later you’ll get it right (if you need help, e-mail me and I’ll help you out – if I don’t respond, it’s most likely because my SASL is broken and I cannot get authenticated to send out *grin* what an irony – just kidding).

It used to be that you would guard your mailbox from prying eyes because back then, e-mails were more authentic.  Sort of like when you receive an hand-written letter from somebody important.  Today, you’d receive e-mails for just about anything, to a point where they aren’t so genuine anymore…  Or there are so much SPAMs in your INBOX that you’d rather just delete all the mails than to read it.  In any case, you want to protect your server so at least you’re not responsible to participate in these SPAMs (make sure to run SMTP relay testers), or at least to admit that you’ve done all you can to avoid issues.

In any case the whole point of that story is that you want to make sure your out-going mails are authenticated (password protected) as well as in-coming.  With Postfix + Courier, you can make an assumptions that if you logged on with POP3 and have been authenticated, you are most likely the same person thus SMTP should not require any password on the same session. Similarly, you can argue the same point for IMAP sesssion.

This is where SASL comes into play.  Just because Carnegie Mellon University was the origin of the SASL RFC and they are the one who maintains Cyrus, it doesn’t mean it’s the best.  To me, Dovecot is better than Cyrus for one simple reason.  Dovecot has documentations and wiki pages…  A damned good wiki, I might add…  It’s so good that I’ve been able to get SASL based authentications for Postfix in less than a day!

With Dovecot, it is (currently) authenticating in the following order:

1. PAM – I have PAM look-up for both LDAP and password, and in that respective order of look-up priorities.
2. MySQL – this is so other accounts that may be on LDAP but is using PLAIN can get authenticated from the Postfix database and/or other users who do not have LDAP account but have virtual mail accounts.

As mentioned, because I’m using PAM to authenticate, I don’t need to have Dovecot integrate with LDAP.  Whenever you can have PAM do the authentications, let it do so rather than adding another link.  By the way, PAM can only be plaintext auth, so do try to make sure you get SSL working.

Meaning, you have PAM linking to your LDAP server for example for SSH and session login, you’ve got it functional and you have a centralized location (single poing of authentications) for all your domain accounts.  Now, if you enable LDAP for Dovecot, that’s another management you’d have to debug (or alter if the server gets moved to another hostname).

Let PAM be your middle-layer between all your services and LDAP (and shadow), the beauty of it all (and it’s a common sense) is that you get PAM working and the rest just fits in.  If something goes wrong with your LDAP server, you only have to deal with PAM.  The converse to that of course is that if PAM breaks, all breaks.  But I prefer to take that chance for management of Linux services can be a nightmare compared to Microsoft services (if you’ve installed Active Directory and OpenLDAP, you’d know which is easier/quicker to setup and what I mean).

I’ve learned a lot from Cyrus, but I wish I wasn’t stubborn about it and gave in to Dovecot earlier.  I wouldn’t have been able to construct my own opinions about how difficult it is to setup Cyrus (but if you’d Google’d for Cyrus, I’d imagine you’d find quite a few that complains about Cyrus), but if you have found this BLog and is in the midst or about to setup SASL authentications for Postfix, try Dovecot first because you should be spending your time on something more productive…

Related posts

• Testing Postfix + Courier (authlib and imap) + MySQL (0)
• Postfix + Courier + SquirrelMail:configtest.php (0)
• Serving SVN repositories (0)
• Networking: AD + Linux (0)
• Compiling Apache on Gentoo (0)

Ever get the following error when you run SquirrelMail’s configtest.php?

Warning: fsockopen() [function.fsockopen]: SSL operation failed with code 1.
 OpenSSL Error messages: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
 version number in /var/www/webmail/htdocs/squirrelmail/src/configtest.php on line 396
 
Warning: fsockopen() [function.fsockopen]: Failed to enable crypto in
 /var/www/webmail/htdocs/squirrelmail/src/configtest.php on line 396
 
Warning: fsockopen() [function.fsockopen]: unable to connect to
 tls://imap.yourdomain.com:<strong>143 </strong>(Unknown error) in
 /var/www/webmail/htdocs/squirrelmail/src/configtest.php on line 396
 
    ERROR: Error connecting to IMAP server "imap.yourdomain.com:143".Server error: (0)

If you do get this error, take a look at your “use_map_tls” variable in your config.php, most likely it is set to true. It’s because you’re telling it to use port 143 (IMAP) rather than 993 (IMAPS).

Related posts

• Postfix + Dovecot – (Cyrus + Courier) (0)
• Testing Postfix + Courier (authlib and imap) + MySQL (0)
• SquirrelMail + gpg Plugin + pecl-gnupg (GnuPG) (0)
• Why KeepAlive Heartbeats should be on Dedicated Socket Stream (0)
• Syslog-ng + syslog-server (Kiwi) = network slowdown (0)