From: Udo Rader (udo.raderbestsolution.at)
Date: Fri Apr 28 2006 - 13:17:59 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2006-04-28 at 12:49 -0400, David Cary Hart wrote:
> I hate to fix what ain't broke. SASL works just fine.
>
> Are there performance and security benefits to implementing Dovecot
> SASL support?

Hmm, I cannot really say about performance, as our servers only have to
deal with 3K accounts and so far postfix performance has never been any
issue (amavisd et al are a different story).

Our current setup is postfix using Cyrus SASL and dovecot using it's
native SASL implementation. From our POV this has one major drawback,
namely DIGEST/CRAM authentication in connection with LDAP. For
Cyrus-SASL you are bound to the userPassword attribute and thus need to
have it stored plaintext in LDAP. This again means that services like
ssh, ... will also use this plaintext password. At least for us this is
ugly and a potential security risk, as some of our users are allowed to
connect via ssh as well.

Dovecot OTOH let's you specify the attribute you want to use for SASL
authentication and thus allows to have a completely seperate password
for mail (which is what we prefer, no "single sign on" for
services/applications abused very often, like MUAs).

We are currently testing 2.3 in connection with dovecot SASL and so far
we are very impressed, but dovecot SASL is of course "young" compared to
cyrus SASL, yet again "some people" have "some concerns" about cyrus
SASL coding quality, but I am in absolutely no position to verify this.

Udo Rader

--
BestSolution.at EDV Systemhaus GmbH
http://www.bestsolution.at

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQBEUlxWuhFd84GLxP8RAgI4AKCuUaEgyZv4mXQOY3bhi5AYVFmj1ACeI/l4
90lslL+sT45Za/T3XZNvGfo=
=PBZS
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]