docker-postfix icon indicating copy to clipboard operation
docker-postfix copied to clipboard
verified publisher icon bokysan

saslauthd methods ldap and pam missing

Open Tipsmark opened this issue 2 years ago • 4 comments

hi - is it possible to add ldap and pam auth methods for saslauthd?

saslauthd 2.1.28 authentication mechanisms: sasldb getpwent kerberos5 rimap shadow httpform

see: https://linux.die.net/man/8/saslauthd

Tipsmark avatar Jul 25 '23 08:07 Tipsmark

Most likely, yes.

Can you explain your use case a bit more, so I know how to test? Or even share a pull request?

bokysan avatar Oct 27 '23 16:10 bokysan

For the Debian image, saslauthd already comes with support for PAM and LDAP.

For PAM (the default), it would pass the plaintext password for further verification. For LDAP, it can retrieve hashed passwords to verify plaintext logins. The Postfix SASL_README was probably updated 20+ years ago. See saslauthd LDAP setup and options instead.

Note that saslauthd expects LDAP options in /etc/saslauthd.conf and maybe some extra considerations for a chroot jail.

To verify:

# cat /etc/debian_version
12.5
# saslauthd -v
saslauthd 2.1.28
authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap
# grep ^MECHANISMS= /etc/default/saslauthd
MECHANISMS="pam"
# cat /etc/saslauthd.conf
cat: /etc/saslauthd.conf: No such file or directory

There is also a separate ldapdb.c auxprop plugin (libsasl2-modules-ldap, 75kB).

You could also add the sql.c auxprop plugin to verify plaintext passwords against MySql/MariaDB, PostgreSQL and SQLite (libsasl2-modules-sql, 1602kB).

See also https://www.cyrusimap.org/sasl/sasl/options.html#sasl-library

For Alpine, the most sensible approach would be building saslauthd from scratch. Although, my guess is, someone wanting to use LDAP (or SQL) for authentication is probably not fuzzed about the few extra bytes of the Debian image.

For setting up a simple test, have a look at https://github.com/glauth/glauth

thielj avatar Apr 17 '24 16:04 thielj

@thielj Thank you so much for this explanation.

Frankly I'm torn if adding this to alpine image would even be worth the effort. If you're authenticating against a third-party system, that sounds like a big stretch over what this project was initially designed to do.

I might be willing to consider a pull request if it doesn't increase build time of the Alpine image considerably.

bokysan avatar Apr 17 '24 16:04 bokysan

I stopped maintaining a full postfix with LDAP support 15+ years ago - and I don't plan to go back. You might want to add the two plugins to the Debian image though. It wouldn't make a big difference in size.

thielj avatar Apr 17 '24 16:04 thielj