Suggestion: Replace Cyrus SASL with Dovecot

interfasys

interfasys

Verified User
Joined
Oct 31, 2003
Messages
1,821
Location
Switzerland
Rationale:
  • We're already using Dovecot and it provides SASL auth out of the box
  • Cyrus-SASL is an extra package that needs to be installed and maintained (See Exim 4.71 thread)

All it takes are 2 changes, one in exim.conf, one in dovecot.conf
 
Sure.

In dovecot.conf, in auth default
Code: 
socket listen {
    client {
      path = /var/run/dovecot/auth-client
      mode = 0660
      user = mail
    }

In exim.conf
Code: 
  plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1
  
  login:
  driver = dovecot
  public_name = LOGIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1
 
Where does it go in my latest SpamBlocker Technology exim.conf file? And what has to be commented out if the changes in dovecot.conf aren't made?

If you'll help me, we'll put this into the latest version.

Jeff
 
You simply replace the plain and login authenticators.
You can also remove the perl subroutine from exim.pl if you want.
 
But if I replace the authenticators will the exim.conf file continue to work if dovecot.conf isn't changes? Please be very specific or I'm going to have to ignore this thread.

Thanks.

Jeff
 
No, that's the reason I posted in this thread. This is a DA change and not an exim specific one. You need both changes to make it work.
 
Hello,

The dovecot sasl method sounds good... however, I'm not positive that we're actually using sasl with exim in the first place, making switching a bit redundant. Right now, our authenticators are done by "us" in the /etc/exim.pl using perl.

If we were actually using sasl with exim, the login would look something like this:
Code: 
server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
but ours is:
Code: 
server_condition = "${perl{smtpauth}}"
so we're not using it there (at least). I also checked through our Makefile's for exim, and I did not find CYRUS_SASLAUTHD_SOCKET in it anywhere, eg:
Code: 
CYRUS_SASLAUTHD_SOCKET=/var/lib/sasl2/mux
is nowhere in the Makefile, so if it is being compiled in, that's not our intention.

It may be possible that exim is wanting it due to some internal default during compiles that we're not aware of (hence the compile dependancy in some cases)... perhaps there is a flag to shut that off, if that's actually the case (I couldn't find any after a quick google).

As for the requirement to maintain the external sasl library, if my assumption that we're not actually using it.. even if it's compiled in and an older version of sasl.. again since we're not using it, keeping it updated wouldn't be much of a priority.

Perhaps someone knows more about it being compiled in that I do.. but as far as I can tell, we don't need it, and don't use it.

Since we're successfully using perl for our authentication, I would see no reason to go through the trouble of changing the default to use dovecot, even if it was slightly more efficient than the exim.pl.
Note that our exim.pl method also allows us to make other customizations if we need to (like block sending if the /etc/virtual/limit file is set, and the limit is reached).. something dovecot sasl wouldn't know about. (Even though the check is done in the lookuphost, and not the auth check, it still allows for more flexibility if we need it)

John
 
Thank you for your detailed answer John.

Indeed, if cyrus-sasl is not being used and there is no documented way of easily getting rid of it, there is no real reason to change.

Afaik, the check_limits script is still run, regardless of who is doing the authentification, but yes, if we wanted to use that script for something else, then it would come in handy.
 
Last edited:
You must log in or register to reply here.
Back
Top