deliver vs LMTP for shared folders

Ken Murchison ken at
Fri May 13 12:23:32 EDT 2005

Scott Balmos wrote:

> Ken Murchison wrote:
>> Scott Balmos wrote:
>>> Hi all,
>>> This is probably a bad subject line for the topic, but I can't think 
>>> of a better one. I've always heard, between here and on the Postfix 
>>> list, that delivering directly via LMTP to Cyrus is better than using 
>>> the deliver wrapper program. I was curious how much of a performance 
>>> hit there is by using deliver rather than LMTP directly? There's a 
>>> method to my madness.
>> I can't give you any quantitative number, but its just an extra, 
>> needless process.
>>> Anyway... The main problem is that I have found no way to get Postfix 
>>> to authenticate as an arbitary user over LMTP (e.g. to pull the 
>>> username from the user+folder address). I can set the Postfix LMTP 
>>> client to authenticate with SASL... But then Postfix requires a SASL 
>>> password map, which is impossible because the user account passwords 
>>> are not stored anywhere in cleartext.
>> Keep in mind that deliver is just a simple LMTP client, so anything 
>> that it does, *should* be possible in any MTA.  An admin can always 
>> proxy as another user as long as you use a SASL mechanism which 
>> supports it (PLAIN, DIGEST-MD5).  But, in deliver's case its using the 
>> optional AUTH=<authuser> keyword with the MAIL FROM command.  At least 
>> one of these methods should be supported by Postfix.
> Should and does are not always the same, unfortunately. :) I think this 
> is one area where Postfix maintains its mutual distrust of itself (its 
> other component programs) in the name of security. From the LMTP client 
> protocol code in Postfix:
>        /*
>         * We authenticate the local MTA only, but not the sender.
>         */
> #ifdef USE_SASL_AUTH
>        if (var_lmtp_sasl_enable
>        && (state->features & LMTP_FEATURE_AUTH)
>        && state->sasl_passwd)
>        vstring_strcat(next_command, " AUTH=<>");
> #endif
>        next_state = LMTP_STATE_RCPT;
>        break;
> So using AUTH=<blah> is out of the question, not to mention the fact 
> that (as given by the state->sasl_passwd attribute check) Postfix 
> expects to need to log in successfully before even thinking about 
> putting in AUTH=<>. And as far as I can tell in the LMTP SASL code, 
> Postfix has support for authentication, but not authorization. 
> Whereabouts in the SASL docs, RFC, or whatever does it describe how to 
> specify the authorization name in an LMTP (or SMTP for that matter) AUTH 
> login conversation? If I'm reading the source code to deliver correctly, 
> it uses the AUTH=<> keyword regardless, so I'm guessing that keyword is 
> always available no matter whether or not you authenticate with SASL 
> during the LMTP conversation startup.

Authorization is handled as part of the SASL mechanism exchange.  Its 
not explicitly handled by any LMTP command.  For the PLAIN SASL mech for 
instance, the client sends the (optional) authorization id, 
authentication id and password (for the authentication id).

Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--
Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list