Switching to Dovecot SASL for SMTP AUTH

Introduction

When I first built up the configurations for vPostMaster I was struggling getting the SMTP server to authenticate directly against the database via Cyrus SASL. Since then, Dovecot has added a SASL implementation, and it's much easier to deal with

We recently had a customer that needed to have non-PLAIN SMTP logins supported, and the Cyrus SASL rimap method just doesn't work for that.

NOTE: For versions of vPostMaster 1.48 and after, and vPostMaster Pro 2.24 and after, you can use this recipe to enable non-PLAIN login mechanisms once your users have reset their passwords (getting their plain-text password in the database).

Recipe

To switch over to using Dovecot SASL, which directly authenticates against the database, you can do the following:

• Verify that your Postfix supports Dovecot SASL:

  postconf -a

• Do not go any further if "dovecot" is not printed above.
• In /etc/postfix/main.cf, add the following lines:

  smtpd_sasl_type = dovecot
  smtpd_sasl_path = private/auth

• And in the dovecot.conf (/etc/dovecot.conf, /etc/dovecot/dovecot.conf) there is a "auth default" section. Add the "socket listen" section so the end result is something like the following:

  auth default {
    mechanisms = plain cram-md5 ntlm
    passdb sql {
       args = /etc/dovecot/dovecot-vpostmaster.conf
    }
    userdb sql {
       args = /etc/dovecot/dovecot-vpostmaster.conf
    }
    user = root
    socket listen {
      client {
        # Assuming the default Postfix $queue_directory setting
        path = /var/spool/postfix/private/auth
        mode = 0660
        # Assuming the default Postfix user and group
        user = postfix
        group = postfix
      }
    }
  }

• Note that the "mechianisms" list above lists "cram-md5" and "ntlm". Do not make that change until you have plain-text passwords in the database.
• Restart dovecot and postfix

At this point, you should no longer be using the "saslauthd" authentication mechanism, instead you should be authenticating directly against the database via Dovecot SASL.

Non-PLAIN Logins

To get non-plain logins working there is one further thing that needs to be done... This is that the database must contain unencrypted copies of all the passwords.

The next version of vPostMaster switches over to storing passwords in plain-text in the database. I've gone back and forth on this, as I don't

believe that storing plain-text passwords is a good thing, but in order to not require plain-text for authentication the server needs an unencrypted copy of the password.

With the 1.48 version of vPostMaster, there will be a plain-text password field. This can be disabled, but is enabled by default. Any accounts set up or with the password changed after this version upgrade will have the plain-text password in the database.

Once all your users have their plain-text passwords in the database, you will then be able to switch dovecot over to using the plain-text password instead of the encrypted version by changing the "dovecot-vpostmaster.conf" file so that it reads similar to:

driver = pgsql
connect = host=localhost dbname=vpostmaster user=imapserver password=X
default_pass_scheme = PLAIN
password_query = SELECT users.plaintextpasswd AS password FROM users
   WHERE users.name = '%n' AND users.domainsname = '%d'
   AND users.active = 't' AND (SELECT active FROM domains
   WHERE name = '%d') = 't'
user_query = SELECT userdir AS home, 1001 AS uid, 1001 AS gid
   FROM users WHERE users.name = '%n' AND users.domainsname = '%d'
   AND users.active = 't' AND (SELECT active FROM domains
   WHERE name = '%d') = 't'

NOTE: The "password_query" and "user_query" lines need to be a single very long line.

Then change the "mechanisms" in the dovecot.conf, restart dovecot, and you should be in business.