You are here: Welcome to BlueOnyx» News

Enhanced Email Auth with Full Alias Support

Posted by: mstauber Category: General

We are pleased to announce a significant improvement to BlueOnyx email services: full support for email address-based authentication, including aliased addresses, across SMTP, POP3, and IMAP protocols.

Recent Background

The latest DNF updates introduced Email Autoconfiguration for easier setup of email clients (such as Outlook). At the same time, the authentication stack for the MTAs (Postfix or Sendmail) and Dovecot was updated to accept logins using the full email address—in addition to the traditional username—provided the local part (before the @) matched the actual username and was not an alias.

While this resolved many issues for Outlook and similar clients, it still required users to send from their non-aliased primary email address, limiting flexibility for those relying on aliases.

New "True" Email-Based Authentication

Over the past few days, we have implemented comprehensive email address authentication that fully supports aliases. This update is now live in the latest RPM packages.

Key Improvements by Component

Postfix and Dovecot (Recommended MTA)

Authentication for SMTP, POP3, and IMAP now supports:

  • Traditional username + password
  • Non-aliased email address + password
  • Any aliased email address associated with the account + password

Users can now log in and send/receive using any of their configured email aliases seamlessly.

Sendmail

Due to architectural limitations in Sendmail, authentication remains more restricted:

  • Traditional username + password
  • Non-aliased email address + password

Aliased email addresses cannot be used for SMTP login when Sendmail is the active MTA. We recommend switching to Postfix for full alias support, as Sendmail's age limits modern authentication flexibility.

Email Autoconfiguration Update

The XML configuration file generated for email clients (e.g., Outlook) has been revised. It now reports the exact email address the user entered during setup, rather than forcing the non-aliased primary address. This enables true alias-based configuration from the start.

How It Works Under the Hood

Previously, authentication relied on Cyrus SASL or Saslauthd via PAM. The new implementation introduces Dovecot-Auth, a custom middleware tailored for BlueOnyx, which interfaces with PAM.

A helper script (/usr/sausalito/bin/blueonyx-postfix-generate-sender-login-maps.pl) runs during Postfix/Sendmail restarts. It queries the BlueOnyx CODB database and generates two map files:

  • /etc/dovecot/blueonyx-login-aliases.map — Maps all valid email addresses (including aliases) to their owning usernames.
  • /etc/dovecot/blueonyx-login-disabled.map — Lists email addresses/accounts ineligible for login (e.g., suspended Vsites, individually suspended users, Vsites with email disabled, or users with email service disabled).

Dovecot consults these maps during authentication to map the provided email address to the correct system username, ensuring proper validation.

Security & Access Controls

Login attempts are automatically rejected for:

  • Accounts in suspended Vsites
  • Individually suspended user accounts
  • Vsites with email services disabled
  • Users with email service individually disabled

This enhancement significantly improves usability, compatibility with modern mail clients, and overall consistency—while preserving BlueOnyx’s strict security and service controls.

Please note: Even if all Dovecot services (POP3/IMAP) are disabled, Dovecot now remains running in a minimal mode to provide the Dovecot-Auth service required by Postfix for SMTP authentication.

Performance Notes

  • Postfix restarts are slightly longer (typically 1–3 seconds extra) due to map file generation, depending on the number of users/aliases.
  • Authentication processing time remains virtually unchanged (differences are in the low millisecond range).

Availability

Updated RPM packages incorporating these changes have been published today for BlueOnyx 5210R, 5211R, and 5212R. Update your systems via DNF/YUM to apply the improvements.

Updated ISO images and Incus Images for BlueOnyx 5210R, 5211R and 5212R have been published as well.

For full details on the code changes, see the SVN changeset:
https://devel.blueonyx.it/trac/changeset?reponame=&new=6032%40%2F&old=6018%40%2F

We believe this update delivers a much smoother and more professional email experience, especially for users with multiple aliases or those configuring clients like Outlook. Feedback and questions are welcome!


Return
General
Jan 14, 2026 Category: General Posted by: mstauber
Previous page: API (v2) Metrics Next page: Downloads