Help with cyrus-imapd, cyrus-sasl, postfix and lmtp

Dan White dwhite at olp.net
Sun Nov 4 18:24:51 EST 2012 

On 11/04/12 09:43 -0600, Dale J Chatham wrote:
>my intent it so have postfix in the DMZ delivering to cyrus lmtp and
>cyrus internal.
>
>I'd like to not have to have a map of users, but to use ideally sasldb
>to determine users and passwords, but pam if necessary.  I'd rather use
>stock packages and avoid compiling from scratch.
>
>Distro is centos 6.3
>
>I can't seem to get all the pieces talking to each other and have taken
>a week reading everything I can find.  This would seem to be a natural
>way to run, but I can't find docs on it.
>
>If there is a FAQ out there, someone please point me to it.

On 11/04/12 10:12 -0600, Dale J Chatham wrote:
>I was hoping postfix could be configured to blindly forward to lmtp and
>let lmtp authenticate.
>
>I lost a dual sendmail configuration where mail was received in the DMZ
>and then forwarded to a sendmail internal.
>
>Perhaps I'm approaching this entirely wrong.

On 11/04/12 10:32 -0600, Dale J Chatham wrote:
>One more point.  Can't one authenticate with saslauthd running on a
>remote machine?
>
>So, could I:
>
>Internet    DMZ             Internal
>========    =============   ==============
>mail           ->  Postfix                 -> lmtp
>                             ^                            |  |
>                             |                     +--- +  v
>                             |                      | Cyrus-imapd
>                             |                      |       |
>                             |                      |       v
>                             +-----------------+> saslauthd

Cyrus can use saslauthd to authenticate both incoming lmtp and imap connections. By
default both daemons should use the same authentication service, whether
that's sasldb or saslauthd, or another source.

Such a configuration might look like (on the Cyrus server):

lmtp_admins: postfix_username
sasl_mech_list: PLAIN LOGIN # Needed if authenticating with saslauthd
sasl_minimum_layer: 0
allowplaintext: yes # Needed, unless you're using tls
sasl_pwcheck_method: saslauthd

Consult the Postfix documentation for how to specify the lmtp credentials.

It's standard practice to enable smtp authentication on a postfix server,
particularly if you have roaming users with email clients. As Andy pointed
out, you may need to sync your authentication database between the two
servers, unless your authentication database is network enabled, i.e. SQL
or LDAP.

Postfix can be configured to use cyrus sasl for smtp authentication (see
saslfinger),

-- 
Dan White

More information about the Info-cyrus mailing list