Re: [exim] Dovecot authentication

Top Page
Delete this message
Reply to this message
Author: Renaud Allard
Date:  
To: W B Hacker
CC: exim users
Subject: Re: [exim] Dovecot authentication
All passwords are already stored in a kerberos server _AND_ a plaintext
file (could be SQL, but this wouldn't change anything as this would be a
plaintext store anyway). However, I still need 2 password's DB to
provide all authentication possibilities. My goal is to have only one
encrypted DB to hold all of the authentication data. And this DB has to
be a kerberos server in order to provide GSSAPI auth.
The passwords should be the same for reading mail and for sending mails
as most (all?) users won't use a different password for sending and for
receiving, and I certainly don't configure 2 different realms for
sending and receiving as it would be the same as using 2 DB.


W B Hacker wrote:
> Renaud Allard wrote:
>
>> Well, in fine, I'd like all user's passwords to be stored
>> encrypted into a kerberos server.
>
> IF '...I'd like....' means you have an operational need for
> such things, then smtp itself is the wrong tool for the job.
>
> Google 'Defense Messaging Service'. And trust than much of the
> content is encrypted independently of the transmission network.
>
>> Exim does not support (without cyrus-sasl) DIGEST-MD5 and
>> GSSAPI, and it doesn't support bsdauth as a password
> > database. However, with cyrus-sasl, it supports everything I
> > need.
>> Dovecot doesn't support checking anything against cyrus-sasl,
>> but knows about GSSAPI with its own sasl library.
>
> IMAP/POP and smtp only interact in the mailstore. They may exist
> on the same server, but are not required to do so, as long as
> both have access to the mailstore. Likewise their auth mechanisms.
>
> Nothing prevents you using the same DB for multiple types of
> auth. All you need is fields for each in a given record, and
> appropriate key fields to find that record. These can be in a
> single record, in a common DB, multiple records in a common DB,
> or records in a separate.
>
> Nothing prevents you configuring a full-featured MUA to provide
> different information for smtp login than for POP/IMAP login.
>

--

.O.
..O
OOO

PGP key: http://www.llorien.org/gnupg/key.pub