[Dovecot] Fwd: Re: sasl parameters missing (in postfix)
Daniel Black
daniel.subs at internode.on.net
Thu Aug 7 14:32:41 EEST 2008
In response to my request for postfix to support dovecot auth arguments I got
the forwarded reply.
If someone gets around to this before me I won't be offended.
------------
Story is I deployed a webmail with certificate based authentication that
substitutes a global master password
(http://wiki.dovecot.org/Authentication/MasterUsers) when the certificate
matches. The webmail accesses the inbox by imap and reuses the password for
smtp through postfix.
I configured dovecot sasl authentication to allow a particular global password
to be allowed from one IP address of the webmail server. Unfortuanately it
seems as though postfix doesn't pass rip= (remote ip) or the other AUTH
parameters of the protocol (http://dovecot.org/doc/auth-protocol.txt).
Is adding these parameters to postfix's sasl authentication a useful feature
request?
---------- Forwarded Message ----------
Subject: Re: sasl parameters missing
Date: Thu, 7 Aug 2008
From: Wietse Venema <wietse at porcupine.org>
To: Daniel Black <daniel.subs at internode.on.net>
Daniel Black:
> Thanks Wietse,
>
> On Tue, 5 Aug 2008 09:30:44 am Wietse Venema wrote:
> > Postfix passes the information in the SMTP client's AUTH command.
> > This is how I got the Dovecot extension from Timo. If someone is
> > willing to monitor his docs for changes,
>
> it seems fairly stable. Going off the doc/auth-protocol.txt changelog
> Nov 12 2006 lport/rport was added.
> Aug 07 2005 changed valid-client-cert to ssl-valid-cert
> Oct 22 2004 original documentation
>
> Current implementation of the authentication server in dovecot seems to
ignore
> parameters it doesn't understand.
>
> > then they are welcome to do so. I won't.
>
> On the basis of this apparent stability and compatibility would you consider
> accepting a patch?
Yes. No promise, though, that it will be adopted.
One consideration is that Postfix does not talk directly to Dovecot,
but instead talks to an abstraction layer that is used for both
Cyrus SASL and for Dovecot.
Obviously, that XSASL abstraction layer must not be made specific
to the underlying Cyrus SASL or Dovecot implementation. The solution
therefore is not to extend XSASL functions with one extra argument
for each Dovecot feature. Apart from being Dovecot-specific,
functions with many parameters are difficult to update correctly;
compilers can't always tell that two arguments should be swapped.
I solved the problem of many-parameter functions by using macros
such as TLS_SERVER_START(). This gives more assurance that data
is passed correctly, and it less likely to break due to human
maintainer error.
Wietse
-------------------------------------------------------
--
Daniel Black
--
Proudly a Gentoo Linux User.
Gnu-PG/PGP signed and encrypted email preferred
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x76677097
GPG Signature D934 5397 A84A 6366 9687 9EB2 861A 4ABA 7667 7097
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://dovecot.org/pipermail/dovecot/attachments/20080807/2803832c/attachment.bin
More information about the dovecot
mailing list