SASL: Dovecot versus Cyrus

25 posts / 0 new
Last post
#1 Wed, 10/03/2018 - 14:41
KitchM

SASL: Dovecot versus Cyrus

Does anyone know why Webmin/Virtualmin uses Cyrus instead of Dovecot for SASL. If Dovecot is already installed, why add another application?

Also, what happens in the system if one wishes to change?

Wed, 10/03/2018 - 15:01
atleast
atleast's picture

I see dovecot as default and want to switch to CYRUS

Wed, 10/03/2018 - 16:11
KitchM

My platform is CentOS 7 and Webmin version 1.890/ Virtualmin version 6.03. What is yours?

Wed, 10/03/2018 - 18:57 (Reply to #3)
atleast
atleast's picture

Centos 7.5 and virtualmin 6.02. But can you kindly advise which instructions or configuration steps you took for dovecot / Postfix?

Wed, 10/03/2018 - 20:09
KitchM

That's the point of my question; I have not yet done so. You see, there is a difference between what is done in Webmin/Virtualmin with what is normally done without a control panel. What you might do outside the control panel might totally mess things up when working inside a control panel. Therein lies the problem.

Unless someone has personal experience, is a programmer who has the time and ability to go over and understand the code or Jamie wishes to divulge the inner workings, there is no way to know without trial and error which might damage things.

Wed, 10/03/2018 - 20:22
atleast
atleast's picture

I think default install of dovecot on webmin is dovecot SASL and not cyrus. Now I think simply if we choose cyrus by simply installing it one can modify the config on mail server to use cyrus instead of dovecot. I am going to try do that to see if it works. I dont think there is much difference between dovecot and cyrus SASL. I am going to search for a step by step instruction to config TLS mail server.

Fri, 10/12/2018 - 12:52 (Reply to #6)
atleast
atleast's picture

I guess the underlying default system is surely Cyrus. BUT as i did write dovecot on main.cf you can try that which may then be the real active one. You can try both and see how it impacts. I hope it is clear.

Thu, 10/04/2018 - 09:58
KitchM

The consensus appears, in a cursory overview, that Dovecot is simpler and uses less resources. However, you can check yours by running the following command as root:
postconf -d
This will display all the settings for Postfix and e-mail on your server.

Look for the line that states:
smtpd_sasl_type =
It may state cyrus or dovecot. That will tell you which you have.

Wed, 10/10/2018 - 19:50 (Reply to #8)
atleast
atleast's picture

On my existing install i found that on postfix main.cf it clearly says smtp sasl type = dovecot. On a new default install where i have not configured it manually it shows that it is cyrus but enable = no, yet there I see it is default configured by default:

smtp_rset_timeout = 20s
smtp_sasl_auth_cache_name =
smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_path =
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus

Hope it helps you. I think you opt for cyrus or dovecot by simply opting. Pl let me know

Thu, 10/04/2018 - 12:31
KitchM

Forgot to mention that you could use postconf -a to list all of the available SASL plug-in types. It turns out that mine can use both cyrus and dovecot. Go figure.

Wed, 10/10/2018 - 16:38
KitchM

Nobody? Really?

Wed, 10/10/2018 - 19:42 (Reply to #11)
atleast
atleast's picture

Hello friend I apologize for not being able to reply so far as I have been under some stress and bad luck. I will try to do some testing on a new setup n see how it works. I hope some other experienced users can respond you soon as I am not really very experienced. In fact you seem to know a lot.

Wed, 10/10/2018 - 20:03
atleast
atleast's picture

Now I give you output of postconf -d on a working postfox/dovecot install: and it looks identical to default new install. PL know that on main.cf i do have specifically mentioned as dovecot which is below: SO now i m confused. I copied the configuration of postfix from a few sites.

smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes
broken_sasl_auth_clients = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination reject_unauth_destination
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

THE output of postconf -d shows cyrus

smtp_sasl_auth_cache_name =
smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_path =
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
Wed, 10/10/2018 - 20:04
atleast
atleast's picture

Kindly check all above and suggest me and i hope you get guided

Thu, 10/18/2018 - 10:31
KitchM

Many thanks for the response. I believe you are finding the conflict in Webmin/Virtualmin. It is not a standard the most admins understand. There are things going on within the code that is confusing.

Thanks again.

Fri, 10/19/2018 - 04:35
Jfro

Here output FYI:

lmtp_sasl_auth_cache_name =
lmtp_sasl_auth_cache_time = 90d
lmtp_sasl_auth_enable = no
lmtp_sasl_auth_soft_bounce = yes
lmtp_sasl_mechanism_filter =
lmtp_sasl_password_maps =
lmtp_sasl_path =
lmtp_sasl_security_options = noplaintext, noanonymous
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_sasl_type = cyrus

Sorry: ;)

smtp_sasl_auth_cache_name =
smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_path =
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus

I'm not writing which settings it should but only which are in our box this moment and active we are using dovecot for the mail. So something wrong or ?

CENTOS 7.5 and VM6.03-2 ( installed sept 2017 then ofcourse with one of the first VM6.x versions)

Mon, 10/22/2018 - 12:54
KitchM

Thanks, Jfro. So why do you think that Cyrus is the default when you are using Dovecot server already?

Tue, 10/23/2018 - 02:45
Jfro

This are the settings even after installed dovecot.

( EDIT:::: ) Is output of postfix conf-d but these settings aren't in the master.cf ! ( so something default of virtualmin?)

Wrong? ( at the time of install september 2017 sasl wasn't setup by the virtualmin script and a command from virtualmin to do that afterwards is here on forum somewhere that i used)

You may be able to fix this by running the following:
# virtualmin system-config --include Postfix
# systemctl restart postfix

But there it should be virtualmin config-system --include

Uh sorry this one: So, report problems you find, when you find them and I'll fix them and tell you what you need to do to apply the fix(es) to your server. Usually it's a matter of updating the virtualmin-config package and running a single command. For example, one can fix the broken saslauthd configuration that prevented SMTP authentication by running: virtualmin config-system --include SASL

Tue, 10/23/2018 - 06:11
Jfro

FOUND THIS ALSO.

HTTP/1.0 500 Perl execution failed
Server: MiniServ/1.890
Date: Tue, 23 Oct 2018 09:10:01 GMT
Content-type: text/html; Charset=iso-8859-1
Connection: close

<h1>Error - Perl execution failed</h1>
<p>can't open /usr/share/doc/dovecot-2.2.10/wiki/usr/share/doc/dovecot-2.2.10/wiki/Migration.Cyrus.txt: No such file or directory at /usr/libexec/webmin/filemin/download.cgi line 27.
</p>

cyrus-sasl-2.1.26 This installed with yum that time after the errors from virtualmin in log files for missing cyrus-sasl Some info not virtualmin related https://stackoverflow.com/questions/33781551/implementations-of-sasl-cyr...

and https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

These are on our VM BOX installed with Yum while error virtualmin in log files and no mail... and yup in config settings it was needed somehow but not installed by virtualmin installscript

   cyrus-sasl 2.1.26-23.el7 The Cyrus SASL library
           cyrus-sasl-gssapi 2.1.26-23.el7 GSSAPI authentication support for Cyrus SASL
           cyrus-sasl-lib 2.1.26-23.el7 Shared libraries needed by applications which use Cyrus SASL
           cyrus-sasl-plain 2.1.26-23.el7 PLAIN and LOGIN authentication support for Cyrus SASL

I am posting here outputs and settings of our BOX. Not saying that they are correct, also only to help out the confussion these parts are giving some as Topic starter and so on.

So please correct me if doing wrong here or posting offtopic stuff!

p.s. if i added the type dovecot then no mails receiving anymore but think therefore i did something wrong don't know, confused to!

Wed, 10/24/2018 - 15:13
KitchM

Yeah, you and me both.

And don't forget that if something needs special handling, then Virtualmin is not offering the automation it is implied to offer. Further, if one needs to ask about something, then how are sysadmins that are trained to do things in industry-standard ways expected to do their jobs?

At this point in time, admins must hire a programmer to look into the Virtualmin code to figure things out. It is bizarre.

Wed, 10/24/2018 - 16:00
Jfro

This reply of me is Oftopic:

Sorry i don't complain about Virtualmin.

Not only because we use free version for testing. But still support takes time on this support forum also for free version users that is great.

Each panel has pluses and minus. More expensive i have had serious trouble to have some security holes in time fixed, then fixed them myself but after such you are also no more a standard.

Also alsmost every panel if you needed to make them UX friendly and foolproof for a lot of things (virtualmin has a lot) is a hell of a job. Therefore are people payd yep external or internal Programmers or sysadmins if someone or company can't do it themselves. That is how this bussiness is working while if working hours and resources and so on have to be payd.

Hiring is one thing, finding the right persons for the job in time is is much more difficult these days.

Experience here with more panels, and virtualmin is not doing a bad job, only if not used to it then it could be harder to do things right.

YEP DOCU is not always up to date sometimes even outdated they know this, in my opinion that is most important thing to have updated and for learning how virtualmin works, also developer docu. (if you are longer in IT you know that is often the case LEIDER).

Sorry for my gramar. ;) .

I try to give a liitle of my time to this forum, therefore i use Virtualmin free version. I even don't know or some need a programmer or real good sysadmin who knows how to script.

That automation if not used to it yup doing things you don't expect while as i used to do settings in conf files myself and with yum and so on then it is a learning wich parts you can do or wich parts where you better should stay away if manual doing things in a other wat then virtualmin. THAT is not that Virtualmin is bad, only is somehow different.

I readed a lot of your text KitchM, and i can understand your concerns, but look at it in a positive way as I do, doing things reading , making failures and so on is a very good thing to learn things the hard way but mostly better to remember then a fully simple automated click click system, i gues you learned a lot of IT server Admin extra also?

If someone looking for a almost 100% ready system perfect for their situation hmm. if this was already on the market at a reasonable price. they soon be the only with a almost 100% market monopol i'm sure

If someone is more alround IT as i 'm then you're not very good on every part / topic, but knowing that for yourself gives some ahead of very good specialist in 1 part of IT. ( not the most perfect solution but though a working solution, is better then none or a to late... )

Far more important to choose for Virtualmin ( YUP unsuported i expect) you can choose a lot of things doing apprt form out of the box solution without breaking the complete panel and BOX. You could have a running system with the PHP version you want, the Apache NginX version and Http2, PCI DSS compliant and even TLS 1.3 and many many more i gues, then though using parts of Virtualmin for more easy Serveradmin part, that is our test, the important parts should work, and backups are even more important going that way.

Be honest Virtualmin is not a 100 plus employees company, so don't expect that they can handle so much as that sort of Company's in time. ( FAIR)

Wed, 10/24/2018 - 16:18
Jfro

ONTOPIC:

Please help us out with some misunderstanding about sasl cyrus and dovecot part. At our box i can understand this was because of failures from me after starting with the early VM6 with some BUGS, trying things to solve manually with yum and conf files.

But reading and finding as KitchM also the confusion about this part is in my head to, and more persons i expect.

Which vitualmin config-system modules, / parts could be responsable for this or in conflict with yum installs. In my case this started because after installed a VM6 box, the cyrus sasl errors in logs and solving this manually by installing that part and also sasl. It is working but confused or it is working the way it was ment to.

So some DOCS? How to check, and how to config / install / handle these parts, in stead of answering here our ... here would be nice. hihi ;)

Fri, 10/26/2018 - 17:14
KitchM

@Jfro, Thanks for your thoughts. However, the issue here proves without any variables that the Webmin/Virtualmin system is not industry standard; if there is such a thing. Although they claim it is. So I'm just going by their position.

In this issue you see that we still do not know: 1. Why they are using Cyrus for security, when Dovecot exists for the same purpose. 2. What would happen to their system if the user takes out Cyrus.

Anyone is free to play around with something to see what breaks, but I don't have that sort of time.

Fri, 10/26/2018 - 22:01
Joe
Joe's picture

Cyrus packages provide saslauthd, which is used for SMTP authentication. It is not used for IMAP/POP in a default Virtualmin system. Dovecot provides IMAP and POP. it is historic. Dovecot didn't always have a saslauthd implementation. It's not related to IMAP/POP, and doesn't conflict, so there's never been reason to change...it's small.

--

Check out the forum guidelines!

Fri, 10/26/2018 - 22:09
Joe
Joe's picture

"Anyone is free to play around with something to see what breaks, but I don't have that sort of time."

Then, why are you playing around? Cyrus saslauthd works, it is small, it is reliable, it has been in used in (100,000+) Virtualmin systems for a dozen years. Dovecot works fine for POP/IMAP. So, if you don't have time to play around, it makes no sense to mess with what isn't broken.

--

Check out the forum guidelines!