Your Linux Data Center Experts

Switching to Dovecot SASL for SMTP AUTH

Introduction

When I first built up the configurations for vPostMaster I was struggling getting the SMTP server to authenticate directly against the database via Cyrus SASL. Since then, Dovecot has added a SASL implementation, and it's much easier to deal with

We recently had a customer that needed to have non-PLAIN SMTP logins supported, and the Cyrus SASL rimap method just doesn't work for that.

NOTE: For versions of vPostMaster 1.48 and after, and vPostMaster Pro 2.24 and after, you can use this recipe to enable non-PLAIN login mechanisms once your users have reset their passwords (getting their plain-text password in the database).

Recipe

To switch over to using Dovecot SASL, which directly authenticates against the database, you can do the following:

At this point, you should no longer be using the "saslauthd" authentication mechanism, instead you should be authenticating directly against the database via Dovecot SASL.

Non-PLAIN Logins

To get non-plain logins working there is one further thing that needs to be done... This is that the database must contain unencrypted copies of all the passwords.

The next version of vPostMaster switches over to storing passwords in plain-text in the database. I've gone back and forth on this, as I don't

believe that storing plain-text passwords is a good thing, but in order to not require plain-text for authentication the server needs an unencrypted copy of the password.

With the 1.48 version of vPostMaster, there will be a plain-text password field. This can be disabled, but is enabled by default. Any accounts set up or with the password changed after this version upgrade will have the plain-text password in the database.

Once all your users have their plain-text passwords in the database, you will then be able to switch dovecot over to using the plain-text password instead of the encrypted version by changing the "dovecot-vpostmaster.conf" file so that it reads similar to:

driver = pgsql
connect = host=localhost dbname=vpostmaster user=imapserver password=X
default_pass_scheme = PLAIN
password_query = SELECT users.plaintextpasswd AS password FROM users
   WHERE users.name = '%n' AND users.domainsname = '%d'
   AND users.active = 't' AND (SELECT active FROM domains
   WHERE name = '%d') = 't'
user_query = SELECT userdir AS home, 1001 AS uid, 1001 AS gid
   FROM users WHERE users.name = '%n' AND users.domainsname = '%d'
   AND users.active = 't' AND (SELECT active FROM domains
   WHERE name = '%d') = 't'

NOTE: The "password_query" and "user_query" lines need to be a single very long line.

Then change the "mechanisms" in the dovecot.conf, restart dovecot, and you should be in business.