SMTP-AUTH *without* SASL/PAM?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

SMTP-AUTH *without* SASL/PAM?

Keith Palmer

Is it possible to configure Postfix for SMTP-AUTH *without* using SASL/PAM?

We're trying to keep things simple here, and I'd really rather prefer to
just have Postfix do lookups in a text file or straight from the unix
accounts for SMTP-AUTH.

Is it do-able?

--
 - Keith Palmer
   [hidden email]
   http://www.AcademicKeys.com/


Reply | Threaded
Open this post in threaded view
|

Re: SMTP-AUTH *without* SASL/PAM?

Patrick Ben Koetter
* Keith Palmer <[hidden email]>:
>
> Is it possible to configure Postfix for SMTP-AUTH *without* using SASL/PAM?
>
> We're trying to keep things simple here, and I'd really rather prefer to
> just have Postfix do lookups in a text file or straight from the unix
> accounts for SMTP-AUTH.

Look into this:

# saslauthd -a shadow


>
> Is it do-able?
>
> --
>  - Keith Palmer
>    [hidden email]
>    http://www.AcademicKeys.com/
>
>

--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: SMTP-AUTH *without* SASL/PAM?

Keith Palmer

OK, thanks... but that doesn't answer my question.

>> Is it possible to configure Postfix for SMTP-AUTH *without* using
>> SASL/PAM?

I'd like to *not run SASL at all* rather than have it do the lookups.

--
 - Keith Palmer
   [hidden email]
   http://www.AcademicKeys.com/

On Thu, October 29, 2009 10:31 am, Patrick Ben Koetter wrote:

> * Keith Palmer <[hidden email]>:
>>
>> Is it possible to configure Postfix for SMTP-AUTH *without* using
>> SASL/PAM?
>>
>> We're trying to keep things simple here, and I'd really rather prefer to
>> just have Postfix do lookups in a text file or straight from the unix
>> accounts for SMTP-AUTH.
>
> Look into this:
>
> # saslauthd -a shadow
>
>
>>
>> Is it do-able?
>>
>> --
>>  - Keith Palmer
>>    [hidden email]
>>    http://www.AcademicKeys.com/
>>
>>
>
> --
> All technical questions asked privately will be automatically answered on
> the
> list and archived for public access unless privacy is explicitely required
> and
> justified.
>
> saslfinger (debugging SMTP AUTH):
> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
>

Reply | Threaded
Open this post in threaded view
|

Re: SMTP-AUTH *without* SASL/PAM?

lst_hoe02
Zitat von Keith Palmer <[hidden email]>:

>
> OK, thanks... but that doesn't answer my question.
>
>>> Is it possible to configure Postfix for SMTP-AUTH *without* using
>>> SASL/PAM?
>
> I'd like to *not run SASL at all* rather than have it do the lookups.

Postfix has no user management at its own. You have to use either  
Cyrus SASL or Dovecot SASL. Have a look here  
http://www.postfix.org/SASL_README.html

Regards

Andreas


Reply | Threaded
Open this post in threaded view
|

Re: SMTP-AUTH *without* SASL/PAM?

Seth Mattinen
In reply to this post by Keith Palmer
Keith Palmer wrote:
> OK, thanks... but that doesn't answer my question.
>
>>> Is it possible to configure Postfix for SMTP-AUTH *without* using
>>> SASL/PAM?
>
> I'd like to *not run SASL at all* rather than have it do the lookups.
>

Use the dovecot auth method. In spite of the name in the docs, no SASL
is involved whatsoever. I run dovecot on a few servers with all the
pop3/imap parts disabled just for auth.

~Seth
Reply | Threaded
Open this post in threaded view
|

Re: SMTP-AUTH *without* SASL/PAM?

Barney Desmond
2009/10/30 Seth Mattinen <[hidden email]>:

> Keith Palmer wrote:
>> OK, thanks... but that doesn't answer my question.
>>
>>>> Is it possible to configure Postfix for SMTP-AUTH *without* using
>>>> SASL/PAM?
>>
>> I'd like to *not run SASL at all* rather than have it do the lookups.
>>
>
> Use the dovecot auth method. In spite of the name in the docs, no SASL
> is involved whatsoever. I run dovecot on a few servers with all the
> pop3/imap parts disabled just for auth.

Uh, it *is* still SASL, unless I've misunderstood that.

To clarify: there is no way to avoid using SASL. SASL is the protocol
that Postfix uses to ask Someone Else for authentication. Postfix
supports no other authentication mechanisms. (the fact that the only
SASL backends in existence (basically) are POP/IMAP servers is what
usually confuses people).

If you have no particular requirements or existing configuration,
installing Dovecot and using it as your SASL backend is the easiest
way to go.
Reply | Threaded
Open this post in threaded view
|

Re: SMTP-AUTH *without* SASL/PAM?

Patrick Ben Koetter
In reply to this post by Keith Palmer
* Keith Palmer <[hidden email]>:

>
> OK, thanks... but that doesn't answer my question.
>
> >> Is it possible to configure Postfix for SMTP-AUTH *without* using
> >> SASL/PAM?
>
> I'd like to *not run SASL at all* rather than have it do the lookups.
>
> --
>  - Keith Palmer
>    [hidden email]
>    http://www.AcademicKeys.com/
>
> On Thu, October 29, 2009 10:31 am, Patrick Ben Koetter wrote:
> > * Keith Palmer <[hidden email]>:
> >>
> >> Is it possible to configure Postfix for SMTP-AUTH *without* using
> >> SASL/PAM?
> >>
> >> We're trying to keep things simple here, and I'd really rather prefer to
> >> just have Postfix do lookups in a text file or straight from the unix
> >> accounts for SMTP-AUTH.

Reading straight from the UNIX accounts requires special privileges. This is
against the Postfix security model. The Cyrus SASL password verification
service "saslauthd" can run with the required special privileges and therefore
may act as a mediator.

As others have written, Postfix does not implement a SASL itself. It either
relies on Dovecot SASL or on Cyrus SASL. Both implementations provide
server-side AUTH, while only Cyrus SASL also provides Postfix client-side AUTH
capabilities.

p@rick


> > Look into this:
> >
> > # saslauthd -a shadow
> >
> >
> >>
> >> Is it do-able?
> >>
> >> --
> >>  - Keith Palmer
> >>    [hidden email]
> >>    http://www.AcademicKeys.com/
> >>
> >>
> >
> > --
> > All technical questions asked privately will be automatically answered on
> > the
> > list and archived for public access unless privacy is explicitely required
> > and
> > justified.
> >
> > saslfinger (debugging SMTP AUTH):
> > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
> >
>

--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: SMTP-AUTH *without* SASL/PAM?

Seth Mattinen
In reply to this post by Barney Desmond
Barney Desmond wrote:

> 2009/10/30 Seth Mattinen <[hidden email]>:
>> Keith Palmer wrote:
>>> OK, thanks... but that doesn't answer my question.
>>>
>>>>> Is it possible to configure Postfix for SMTP-AUTH *without* using
>>>>> SASL/PAM?
>>> I'd like to *not run SASL at all* rather than have it do the lookups.
>>>
>> Use the dovecot auth method. In spite of the name in the docs, no SASL
>> is involved whatsoever. I run dovecot on a few servers with all the
>> pop3/imap parts disabled just for auth.
>
> Uh, it *is* still SASL, unless I've misunderstood that.
>
> To clarify: there is no way to avoid using SASL. SASL is the protocol
> that Postfix uses to ask Someone Else for authentication. Postfix
> supports no other authentication mechanisms. (the fact that the only
> SASL backends in existence (basically) are POP/IMAP servers is what
> usually confuses people).
>
> If you have no particular requirements or existing configuration,
> installing Dovecot and using it as your SASL backend is the easiest
> way to go.


Well sure, but my point was that Dovecot auth doesn't have the normal
hassle of cyrus sasl so one shouldn't think of it as the same potential
evil.

~Seth