Cyrus vs Dovecot for SASL AUTH and IMAP

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Cyrus vs Dovecot for SASL AUTH and IMAP

J Doe
Hi,

I am looking to use either Cyrus or Dovecot for both SASL authentication and IMAP.  While Postfix 3.1.0 supports both, I was wondering which to prefer if security is my most important deciding factor ?  Does one have a better track record than the other ?

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: Cyrus vs Dovecot for SASL AUTH and IMAP

Petri Riihikallio
> I am looking to use either Cyrus or Dovecot for both SASL authentication and IMAP.  While Postfix 3.1.0 supports both, I was wondering which to prefer if security is my most important deciding factor ?  Does one have a better track record than the other ?

They are both quite secure, I can’t say which one is better. Dovecot is a lot easier to set up, however. Straightforward setup usually translates to less mistakes and errors.

Cyrus has longer history while Dovecot is quite fresh. Long history means longer track record, but also all kinds of backwards compatible kludges that add bulk and complexity.

Dovecot is the most popular choice at the moment, as far as I can tell. Cyrus is popular in really large setups like ISPs and universities where performance is the top priority. They have also dedicated staff to study and maintain their systems.

br, Petri



Reply | Threaded
Open this post in threaded view
|

Re: Cyrus vs Dovecot for SASL AUTH and IMAP

Patrick Ben Koetter-2
In reply to this post by J Doe
* J Doe <[hidden email]>:
> I am looking to use either Cyrus or Dovecot for both SASL authentication and
> IMAP.  While Postfix 3.1.0 supports both, I was wondering which to prefer if
> security is my most important deciding factor ?  Does one have a better
> track record than the other ?

The Cyrus SASL project has been discontinued. I recommend not to use security
relevant software that is unmaintained. Use Dovecot as password verification
service for Postfix.

p@rick

--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
Reply | Threaded
Open this post in threaded view
|

Re: Cyrus vs Dovecot for SASL AUTH and IMAP

Larry Stone


> On Jan 16, 2018, at 11:26 PM, Patrick Ben Koetter <[hidden email]> wrote:
>
> The Cyrus SASL project has been discontinued. I recommend not to use security
> relevant software that is unmaintained. Use Dovecot as password verification
> service for Postfix.

There seems to still be activity. I am subscribed to the Cyrus SASL email list and there was a new RC release recently. Things seem to move slowly there but things seem to be happening.

Unfortunately, the last I knew, Dovecot is only supported by Postfix for inbound authentication. Outbound authentication (e.g. relaying outbound mail through an upstream server) requires Cyrus.

--
Larry Stone
[hidden email]



Reply | Threaded
Open this post in threaded view
|

Re: Cyrus vs Dovecot for SASL AUTH and IMAP

The Doctor
In reply to this post by Patrick Ben Koetter-2
On Wed, Jan 17, 2018 at 06:26:52AM +0100, Patrick Ben Koetter wrote:

> * J Doe <[hidden email]>:
> > I am looking to use either Cyrus or Dovecot for both SASL authentication and
> > IMAP.  While Postfix 3.1.0 supports both, I was wondering which to prefer if
> > security is my most important deciding factor ?  Does one have a better
> > track record than the other ?
>
> The Cyrus SASL project has been discontinued. I recommend not to use security
> relevant software that is unmaintained. Use Dovecot as password verification
> service for Postfix.
>
> p@rick
>
> --
> [*] sys4 AG
>  
> https://sys4.de, +49 (89) 30 90 46 64
> Schlei??heimer Stra??e 26/MG,80333 M??nchen
>  
> Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>

FYI, Cyru sasl is in rc6 mode for 2.1.27

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
Birthday 29 Jan 1969 BOrn Redhill,Surrey,England , UK!
Reply | Threaded
Open this post in threaded view
|

Re: Cyrus vs Dovecot for SASL AUTH and IMAP

Bill Cole-3
In reply to this post by J Doe
On 16 Jan 2018, at 17:19 (-0500), J Doe wrote:

> Hi,
>
> I am looking to use either Cyrus or Dovecot for both SASL
> authentication and IMAP.  While Postfix 3.1.0 supports both, I was
> wondering which to prefer if security is my most important deciding
> factor ?  Does one have a better track record than the other ?

None of us can tell you who you are...

There's no significant difference in security track record or code
maturity. Old-timers can remember when Dovecot was newish and Cyrus was
"The SASL Implementation" but that was a decade ago.

If you need *outbound* SASL support (i.e. authentication to an upstream
relay) then You can choose Cyrus or nothing. Otherwise, Dovecot is
easier to set up and with a commercial support entity behind it
(open-xchange.com)  it is maybe less likely to fall into a stale periods
as Cyrus has at times. Both can be made to support very large
high-availability environments, both are reasonable choices for IMAP/POP
service.

There are almost certainly many niche feature differences that would
tilt a choice one way or the other for site-specific needs. We don't
know what those might be for you. Most of us are unlikely to be able to
give you a detailed specific comparison because we've mostly used one or
the other (or something else) exclusively.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Cyrus vs Dovecot for SASL AUTH and IMAP

Peter Ajamian
On 20/01/18 19:32, Bill Cole wrote:
> If you need *outbound* SASL support (i.e. authentication to an upstream
> relay) then You can choose Cyrus or nothing.

A point of clarification for outbound Cyrus SASL:  For this Postfix
simply has to have been built against the Cyrus SASL libraries and you
only need a few libs from Cyrus for this support.  You don't actually
have to run Cyrus for it and all config is done in Postfix.  If you need
both client SASL and server SASL support in postfix I would still use
Dovecot for the server side and just install those very few libs that
are necessary from Cyrus for the client SASL support.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: Cyrus vs Dovecot for SASL AUTH and IMAP

@lbutlr
On Jan 23, 2018, at 03:04, Peter <[hidden email]> wrote:
> I would still use Dovecot for the server side and just install those very few libs that are necessary from Cyrus for the client SASL support.


Agree. After switching to dovecot years ago I'm never going back to Cyrus.

--
This is my signature. There are many like it, but this one is mine.