Does dovecot use Cyrus or it's own SASL on my Virtuamin installation

This is a simple one if you know the answer

On a default installation of Virtualmin, does dovecot use it’s own internal SASL or does it use the Cyrus SASL?

Thanks

Dunno how you set up dovecot so impossible to answer if it’s default that maybe a different answer. But I would research the subject fully try everything on a vm before applying anything to a production server. Note the title of the thread

The package manager will tell you, I don’t think sasl is involved in dovecot, only smtp authentication.

image1138×288 32.1 KB

Dovecot has nothing to do with it. Virtualmin configures Cyrus saslauthd.

IMAP/POP3 (which is what Dovecot provides in a Virtualmin system) do not authenticate via SASL. Only SMTP is authenticated via SASL. So, Dovecot is not using Cyrus saslauthd or the Dovecot SASL implementation.

Dovecot has a SASL implementation, and we’ve considered switching to it just to remove one of our additional dependencies, but there’s some thought to adding JMAP support to Virtualmin the future, and it seems like that would necessitate a switch to Cyrus for POP3/IMAP, since Dovecot has no near-term plans to implement JMAP. I am unsure if we have any near-term plans, either, though, since client support is very minimal right now and it’s mostly only useful for webmail clients.

Joe I see sasl in the logs but webmin has it set to NO, does virtualmin override?

image1316×490 61.4 KB

You’re just looking in the wrong place. You don’t want that. It’d make it impossible for anyone to send you mail. (They’d have to have an account on your server.)

Edit: Oops, Ilia pointed out to me that this is the client-side options, not server-side. Please include the page title in screenshots! This is for relaying mail, and has nothing to do with how your users interact with your server.

Is there any reason Dovecot does not use SASL? I thought his was the modern way of authentication for IMAP/POP3/SMTP?

If you look at

Webmin --> Servers --> Dovecot IMAP/POP3 Server --> Authentication methods

This alters the setting auth_mechanisms in the following config file

which is listed on this page

Authentication (SASL) Mechanisms — Dovecot documentation

Isn’t CRAM-MD5 a SASL mechanism?

https://doc.dovecot.org/settings/core/#core_setting-auth_mechanisms

You can’t us CRAM-MD5 (or any of those other options) with system users without also storing plaintext passwords. The way the email protocols treat passwords and the way Linux treats passwords don’t have any overlap, so there’s gotta be a plaintext password somewhere…Virtualmin sets up SSL on all mail protocols (and we recommend you use them) so passwords are not transmitted in plain text. We don’t support any of those other options.

From the Dovecot docs:

"Non-plaintext mechanisms have been designed to be safe to use even without SSL encryption. Because of how they have been designed, they require access to the plaintext password or their own special hashed version of it. This means that it’s impossible to use non-plaintext mechanisms with commonly used DES or MD5 password hashes.

If you want to use more than one non-plaintext mechanism, the passwords must be stored as plaintext so that Dovecot is able to generate the required special hashes for all the different mechanisms. If you want to use only one non-plaintext mechanism, you can store the passwords using the mechanism’s own Password Schemes."

We plan a refactor of the mail stack, maybe for Virtualmin 8 (development starting later this year), which likely ends this particular dichotomy by severing “mail” and “system” users. That has far-reaching implications, but is probably better for most use cases; easier to scale across multiple systems, for instance. That may wait until JMAP is more mature, since that will also require a mail stack refactor (which would probably involve dropping Dovecot in favor of Cyrus).

Sounds good as I have found some issues.

Thanks for the extended response.

This is a world full of compromises. We made the compromises that made the most sense at the time. I’m still trying to decide what compromises will be worth making dramatic changes for…there have been many suggestions made over the years for quite bad compromises (things like “Why don’t you put users in MySQL?”).

I may think different things are important than other folks. And, that’s OK, you can solve these problems in any way you want to; everything in the mail stack is open, you can modify anything you want. We certainly won’t stop you.

But, if you want to do it differently, you’ll have to implement it yourself, and I would advise caution, since mail is very complex and has a lot of compatibility and interaction concerns that are not intuitive of immediately obvious; there are things about the way mail works that seem absolutely bonkers on the surface (and sometimes even after you understand it and why they did it that way). We used to see a lot of folks following some Virtualmin guide on the internet that involved a very complicated mail stack, with MySQL users. It wasn’t pretty and it wasn’t easy to help them solve problems because there were so many places for problems to occur. Our stack has the benefit of being close to as simple as possible (I’m a little iffy about our use of multiple layers of procmail, which is my primary motivation for a refactor, but mostly there aren’t any pieces we could remove to make it simpler).

I want to keep things simple and as close to the virtualmin default install. My journey is more about documenting virtualmin as I go which can be used as a reference, but I have found issues on the way, things like out of date settings or some that just need removing so I report them.

Having SASL is useful for things like using LDAP for authentication but I just want normal email authentication setup using the latest standards.

One small improvement example is to add a Cyrus SASL module with only the edit config button which will have all of the relevant config files listed.

When I started I did not know what SASL was and why I needed it, I do now

I am using Virtualmin to make running a server easier and provide a GUI but using the CLI when needed.

Yeah I don’t touch.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.