Re: [exim] Dovecot authentication

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Dovecot authentication
Renaud Allard wrote:

> Well, in fine, I'd like all user's passwords to be stored
> encrypted into a kerberos server.


IF '...I'd like....' means you have an operational need for
such things, then smtp itself is the wrong tool for the job.

Google 'Defense Messaging Service'. And trust than much of the
content is encrypted independently of the transmission network.

> Exim does not support (without cyrus-sasl) DIGEST-MD5 and
> GSSAPI, and it doesn't support bsdauth as a password
> database. However, with cyrus-sasl, it supports everything I
> need.
> Dovecot doesn't support checking anything against cyrus-sasl,
> but knows about GSSAPI with its own sasl library.


IMAP/POP and smtp only interact in the mailstore. They may exist
on the same server, but are not required to do so, as long as
both have access to the mailstore. Likewise their auth mechanisms.

Nothing prevents you using the same DB for multiple types of
auth. All you need is fields for each in a given record, and
appropriate key fields to find that record. These can be in a
single record, in a common DB, multiple records in a common DB,
or records in a separate.

Nothing prevents you configuring a full-featured MUA to provide
different information for smtp login than for POP/IMAP login.

*Many* things point you toward use of the methods common to
typically available MUA feature sets that folks know how to
configure.

How many users will *not* store their password in the MUA?

Even an 'Iowa Class' OpenBSD box can be no stronger than the
Win-zombie/trojan/worm magnet at the user's end.

> I don't
> want to use cyrus-imapd. What I'd like is to focalize on a
> centralised authenticator system, and then work on it as
> needed to make the central authenticator to use the kerberos
> server. So a patch to make dovecot use exim as an
> authentication system would be great as exim supports
> everything I want when linked against cyrus-sasl.
>


My Exim and Dovecot each access different fields in the same
record of a PostgreSQL DB.

The contents of such a field can match anything I can get an MUA
to hand-over. Concatenated, multi-part UIDs AND passwords for
employer/employee control, for example. And a lot more than NO
MUA can supply.

No point in reinventing the IMAP & smtp login process unless you
also plan to do a custom MUA to match.

Mixing arcane *N*X and WinWoes security models for the sake of
single-sign-on, single (point-of-failure/vulnerability) DB won't
buy you anything you will want to keep for long.

If you cannot securely store a plain-text password, you have far
larger problems than mail service security.

Bill


> On Mon, 10 Jul 2006 01:07:19 +0800 W B Hacker
> <wbh@???> wrote:
>
>
>> Renaud Allard wrote:
>>
>> *trim*
>>
>>
>>> In fact, I must admit I would prefer a patch that would
>>> let dovecot authenticate against exim (which in turn
>>> supports cyrus-sasl libray even for PLAIN, LOGIN,...).
>>>
>>
>>
>> You don't need any patches for that, only minor
>> compile-time flags and appropriate configuration file
>> settings.
>>
>> Both Exim and Dovecot will use the auth methods they are
>> told to use and will seek the UID:GID and PWD from whatever
>> source(es) you point them to, plain, crypted, or both.
>>
>> As an SSL 'tunnel' also protects the UID and message
>> content as well as the <plain> password, we consider it the
>> best and simplest approach [1].
>>
>> Bill
>>
>> [1] With older MUA that lacked SSL/TLS, we used 'stunnel'.
>>
>>
>>
>>
>>
>> -- ## List details at
>> http://www.exim.org/mailman/listinfo/exim-users ## Exim
>> details at http://www.exim.org/ ## Please use the Wiki with
>> this list - http://www.exim.org/eximwiki/
>>
>
>
>