Just another reminder..
https://github.com/dovecot/core/pull/86
This will allow plugins to make 'capability' advertisements more dynamic..
On 2020-08-21 7:56 a.m., Steffen Nurpmeso wrote:
Aki Tuomi wrote in 1907575568.4364.1597984769802@appsuite-dev-gw1.open-xchange.com: |> On 21/08/2020 02:17 Steffen Nurpmeso steffen@sdaoden.eu wrote: ... |> Wietse Venema wrote in |> 4BXSTk189nzJrP3@spike.porcupine.org: |> ... |>|Steffen Nurpmeso: |> ... |>|> until SASL says it is done?!. How could EXTERNAL ever work like |>|> that in a client/server->auth-server situation? ... |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions |>|two attributes that might be relevant, and that Postfix can send: |>| |>|secured |>| Remote user has secured transport to auth client] (eg. localhost,
|>| SSL, TLS) |>| |>|valid-client-cert |>| Remote user has presented a valid SSL certificate. |>| |>|But these are booleans. What protocol attribute would Postfix use |>|to pass certificate name information (and which name, as there |>|can be any number of them)? ... |I was trying to suggest that you could try dovecot submission server.
|It might work better with EXTERNAL authentication.Ok, thanks. Yes, i just faked it for my tests, carrying over the IMAP/POP3 communication. (I use your output as a template and do stuff like
smtp_script smtp -Ssmtp-config=-all,starttls,externanon \ -Stls-config-pairs=Certificate=client-pair.pem { smtp_ehlo && printf '\001STARTTLS \003 220 2.0.0 Ready to start TLS ' && smtp_ehlo 0 && printf '\001 AUTH EXTERNAL = ' && smtp_auth_ok && smtp_go; } | ../net-test -U -s .t.sh > "${MBOX}" 2>&1 check auth-7 0 "${MBOX}" '4294967295 0'
you know. Terrible this does not work for GSSAPI, i am about to ask the MIT people to add two pseudo credentials, one which always works and one which does not, so that automatic testing is possible at all, and via unpriviledged account!)
But wouldn't this be an improvement, extending the protocol so that it announces a fingerprint checksum digest, which then can be used in return to report client certificate fingerprints to the dovecot auth server? Like that even client certificate verification could be handled by dovecot auth, aka via SASL, and administrators would have to take care for one user database only?
Other than that i say Ciao from Germany!
--steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.