mouss wrote:
Darren Pilgrim a écrit :
mouss wrote:
Charles Marcus a écrit :
On 12/25/2008, Darren Pilgrim (post...@bitfreak.org) wrote:
Cyrus-SASL 2.1.22 (on B and C for SMTP client SASL)
You might try just using dovecot-sasl - one less package to
install/maintain, and it works as well or better than cyrus-sasl, and is
much easier to configure...
http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
he uses cyrus-sasl for client-sasl (smtp_*, not smtpD_*). dovecot only
support server-sasl.
but I don't see why he uses client-sasl between his internal and
external servers.
The internet is between the servers. I use SASL rather than
address-based access lists since only the prior is reliable.
why not use TLS instead?
With TLS, you can use certificate fingerprints for access control, or
you can use PLAIN SASL (since the communication is protected by TLS).
if the server is in an untrusted data center, this has the benefit of
preventing other (owned) servers from sniffing data.
I can appreciate what you're trying to do and I have looked at the
alternatives.
Certificate-based authentication isn't practical because I'm not set up
for automatically revoking and changing certificates. I'm already set
up for SASL credentials with automatic account lockout and password
rotation.
TLS is working on B, but C is behind an idiotic firewall that strips
STARTTLS from SMTP traffic and only lets SSL through on port 443. Yeah.
The A server has another service on port 443.
Even if I didn't need it, I've found an issue with the interoperability
between Postfix and Dovecot and feel compelled to contribute to the
software that makes my business viable.
Is it possible to alter how postfix sets the username and realm used by
the smtp client? Is the problem within cyrus-sasl or postfix?
