On Wed, Feb 18, 2026 at 10:30:27AM -0500, Wietse Venema via Postfix-users wrote:
> You can buiild Postfix with both Dovecot SASL and Cyrus SASL, then
> use Dovecot SASL only for the Postfix SMTP server (smtpd), and use
> Cyrus SASL only for the Postfix SMTP client (smtp).
My script to build from source (you probably want to set OSSL=/usr,
unless you also build your own OpenSSL from source):
#! /bin/sh
PFIX=/opt/postfix
OSSL=/opt/openssl/3.5
OSSL_LDFLAGS="-Wl,-R,$OSSL/lib64 -L$OSSL/lib64 -lssl -lcrypto"
OSSL_CFLAGS="-I$OSSL/include"
make -f Makefile.init dynamicmaps=yes shared=yes pie=yes
openssl_path=/$OSSL/bin/openssl \
"CCARGS=$OSSL_CFLAGS "'-DNO_NIS -DUSE_SASL_AUTH -I/usr/include/sasl
-DHAS_PCRE=2 -DUSE_CYRUS_SASL -DUSE_TLS -DHAS_CDB -DHAS_LMDB' \
"AUXLIBS=$OSSL_LDFLAGS "'-lsasl2 -ldb' \
'AUXLIBS_CDB=-lcdb' \
'AUXLIBS_PCRE=-lpcre2-8' \
'AUXLIBS_LMDB=-llmdb' \
command_directory=$PFIX/sbin \
config_directory=$PFIX/etc \
daemon_directory=$PFIX/libexec \
data_directory=/var/lib/postfix \
mailq_path=$PFIX/sbin/mailq \
newaliases_path=$PFIX/sbin/newaliases \
queue_directory=/var/spool/postfix \
sendmail_path=$PFIX/sbin/sendmail \
shlib_directory=$PFIX/lib64/MAIL_VERSION \
html_directory=no \
manpage_directory=$PFIX/man \
readme_directory=no \
makefiles
I then have:
$ postconf -a
cyrus
dovecot
$ postconf -A
cyrus
And then I select dovecot auth for the SMTP servre in main.cf:
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
On the dovecot side beware the massive changes from 2.3 to 2.4.
A complete overhaul of the configuration syntax broke my setup
when upgrading from 2.3 to 2.4.1 and then again to 2.4.2.
Therefore, I strongly recommend starting from Dovecot 2.4.2, build from
source if necessary to avoid future pain.
Likely your needs will be simpler, I have a mix of GSSAPI and PLAIN
users, with the PLAIN passwords in a dovecot-specific password file,
that is separate from /etc/passwd. Also a static userdb, and the syntax
for all these has changed dramatically. *Today* it is as below, who
knows what it'll be tomorrow. Can't say I'm lately pleased with
dovecot's configuration "stability". Postfix has never disrespected
its users by introducing such major incompatible changes. Will the
beatings stop after 2.4???
userdb static {
# Did not need the line below in 2.4.1
allow_all_users = yes
fields {
uid=504
gid=504
mail_driver=maildir
mail_path=/home/dovecot/%{user | username}
}
}
# GSSAPI users don't need no stinkin' "passwords",
# Did not need this entire block in 2.4.1
#
passdb static {
passdb_mechanisms_filter = gssapi
fields {
password = dummy
}
}
# PLAIN users have an IMAP-specific password file.
# This supports iPads, iPhones, ... that don't do
# GSSAPI, but also don't get shell logins and aren't
# listed in /etc/passwd, /etc/shadow... Passwords
# strong random strings issued to the user by the
# administrator, not user-selected.
#
passdb passwd-file {
passdb_mechanisms_filter = plain
driver = passwd-file
passwd_file_path = /etc/dovecot/passwd
default_password_scheme = SHA512-CRYPT
}
The rest of the changes in 2.4 are also major, but
not quite as non-obvious.
dovecot_config_version = 2.4.2
dovecot_storage_version = 2.4.2
auth_realms = ...
auth_mechanisms = gssapi plain
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /var/spool/keytabs/imap
# Enable IMAP, but disable the port 143 service,
# leaving only 993 "imaps".
#
protocols = imap
service imap-login {
inet_listener imap {
port = 0
}
}
# Allow the Postfix SMTP server to delegate SASL auth to dovecot.
#
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
