Re: enabling cyrus-sasl in postfix by default

["Jonathan A. Kollasch" <jakllsch%kollasch.net@localhost>]

On Tue, May 05, 2026 at 05:27:35PM +0200, Edgar Fuß wrote:
> > Does anyone have objection to adding 'sasl' to PKG_SUGGESTED_OPTIONS in
> > mail/postfix/options.mk?  This would add a dependency on cyrus-sasl for
> > the default build.
> I don't care personally because I build everything myself, but what about 
> other people using postfix with dovecot's SASL?
> 
> As Wietse Himself says (in SASL_README):
> People who go to the trouble of installing Postfix may have the expectation that Postfix is more secure than some other mailers. The Cyrus SASL library contains a lot of code. With this, Postfix becomes as secure as other mail systems that use the Cyrus SASL library. Dovecot provides an alternative that may be worth considering.
> 
> Note that Dovecot SASL works across a socket, not by linking in a library.

You'd still get a choice of what SASL to use at runtime, and whether to
even enable SASL.

The other options I have are a mail system that doesn't permit sending,
or an open relay.  Both of those options are far worse security-wise
than linking to cyrus-sasl.

It's absurd to even suggest I install dovecot, a complete IMAP and SASL
implementation, and then only use its SASL for postfix, and continue to
use cyrus-imap for IMAP.

This isn't even a problem on Debian, they simply support both out of the
box.