|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: 2.3 and Dovecot SASL
From: David Cary Hart (PostfixMTA
TQMcube.com)
Date: Fri Apr 28 2006 - 13:46:10 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 28 Apr 2006 20:17:59 +0200
Udo Rader <udo.raderbestsolution.at> opined:
> On Fri, 2006-04-28 at 12:49 -0400, David Cary Hart wrote:
> > I hate to fix what ain't broke. SASL works just fine.
> >
> > Are there performance and security benefits to implementing
> > Dovecot SASL support?
>
> Hmm, I cannot really say about performance, as our servers only
> have to deal with 3K accounts and so far postfix performance has
> never been any issue (amavisd et al are a different story).
>
> Our current setup is postfix using Cyrus SASL and dovecot using it's
> native SASL implementation. From our POV this has one major
> drawback, namely DIGEST/CRAM authentication in connection with
> LDAP. For Cyrus-SASL you are bound to the userPassword attribute
> and thus need to have it stored plaintext in LDAP. This again means
> that services like ssh, ... will also use this plaintext password.
> At least for us this is ugly and a potential security risk, as some
> of our users are allowed to connect via ssh as well.
>
> Dovecot OTOH let's you specify the attribute you want to use for
> SASL authentication and thus allows to have a completely seperate
> password for mail (which is what we prefer, no "single sign on" for
> services/applications abused very often, like MUAs).
>
> We are currently testing 2.3 in connection with dovecot SASL and so
> far we are very impressed, but dovecot SASL is of course "young"
> compared to cyrus SASL, yet again "some people" have "some
> concerns" about cyrus SASL coding quality, but I am in absolutely
> no position to verify this.
>
It will be interesting to see what the Fedora developers do when 2.3
is released. Since circa FC3, SASL was compiled into the Postfix RPMs
by default. I have always used my custom RPMs anyway.
--
Our DNSRBL - Eliminate Spam: http://www.TQMcube.com
Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
The Dirty Dozen Spammiest Ranges: http://tqmcube.com/dirty12.php
- application/pgp-signature attachment: signature.asc
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]