Re: postfix, dovecot, sasl & tls

[Chuck Swiger <cswiger%mac.com@localhost>]

On Mar 11, 2011, at 1:50 PM, Jan Danielsson wrote:
>   First, am I correct in assuming that SASL is something which can be
> used to pass authentication information coming from the mail client,
> "through" postfix, into dovecot (in my case) which will then be able to
> validate the supplied authentication information, and if it checks out,
> then that "seal of approval" is sent back to postfix, so that it can
> treat the user as someone being "on the same network" (i.e. being
> allowed to relay mail bound for an external server)?

Sort of.  Dovecot doesn't have to be involved at all, as you can use SASL to 
authenticate against local user accounts (via saslauthd), LDAP, or other 
sources.  But yes, you can use SASL to try and authenticate against users which 
exist only in Dovecot if you like:

  http://www.postfix.org/SASL_README.html#server_dovecot

> Next, assuming I got the first part correct, is it possible to
> configure <subj> to only allow users who have presented a proper (read:
> fully verified) client certificate to be allowed to relay mails through
> the server? (i.e. simply supplying username/password authentication
> would not be sufficient, they must also present a certificate signed by
> the server's CA). A simple yes/no would suffice, I just want to know if
> I'm wasting my time trying to figure out how to do it.

Yes.  You will probably discover that requiring client-side certs will break 
TLS with various MTAs, but it's documented here:

  http://www.postfix.org/TLS_README.html#server_vrfy_client

Regards,
-- 
-Chuck