Have sendmail authenticate users against dovecot (or passwd-style files)

Question

I have set up a Debian 10 mail server with sendmail and dovecot+virtual users in preparation of a migration (the old server is also running sendmail + dovecot, but older versions and with "real" users).

On the dovecot side, everything is peachy. I set up a passwd-file auth for testing, and I can log in, save drafts, and see locally delivered mail in my IMAP client.

However, when sending, sendmail is set up to require authentication, and I am looking for a way to let sendmail use the same auth database as dovecot, ideally even authenticate against dovecot (via SASL?).

Searching the web has not yielded any useful results, apparently the sendmail + dovecot combination is relatively rare. While I don't intend to stay on this forever, I am looking for a quick solution now to buy me time for migrating to a new stack.

score 1 · Answer 1 · answered Jun 11 '20 at 08:28

You can configure cyrus-sasl to auth against dovecot using remote imap capability.

For example in CentOS (auth against local IMAP/Dovecot):

/etc/sysconfig/saslauthd

MECH=rimap
FLAGS=" -O 127.0.0.1"

However, this might be problematic, because you are going to do much more connections to IMAP server and in logs, you will see login attempts from localhost so bear that in mind.

score 0 · Accepted Answer · edited Jun 12 '20 at 13:48

Try using dovecot-msa on port msa(587) with "local sendmail like" relaying to 127.0.0.1:25.
IMHO it is a simple way to use dovecot maintained passwords for IMAP, POP3 and SMTP.

Use FEATURE(no_default_msa) in sendmail.mc to disable sendmail listening on port 587.

Warning: making sendmail know list of valid virtual email addresses handled by dovecot is a separate issue [back-scatter prevention].

Michael Grant · Answer 3 · 2023-11-02T10:41:50.467

On Debian you would edit /etc/default/saslauthd and change these lines:

# Example: MECHANISMS="pam"
MECHANISMS="rimap"
Additional options for this mechanism. (default: none)
See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS="-O 127.0.0.1"

and, optionally (in same file), if you are using dovecot's userdb with %u (user@domain usernames), you need to add the -r option to the options so that saslauthd passes the @domain to rimap:

OPTIONS="-r -c -m /var/run/saslauthd"

If you don't add the -r to the options, then, on the dovecot side, you will need to use %l instead of %u, and your dovecot users file will contain 'username' lines instead of 'username@domain' lines.

For example:

passdb {
  driver = passwd-file
  args = scheme=CRYPT username_format=%l /etc/dovecot/users
}
userdb {
  driver = passwd-file
  args = username_format=%l /etc/dovecot/users
Default fields that can be overridden by passwd-file
default_fields = uid=dovecot-virtual gid=dovecot-virtual home=/home/dovecot-virtual/%l
}

Personally I opted to add -r to saslauthd because then I can authenticate users with the same username in different domain names in both sendmail and dovecot.

Have sendmail authenticate users against dovecot (or passwd-style files)

3 Answers3

Additional options for this mechanism. (default: none)

See the saslauthd man page for information about mech-specific options.

Default fields that can be overridden by passwd-file