Hello.
I am not subscribed and new here, so first of all i want to thank you for dovecot. I personally do not use it in "production" (yet), but it is my sole point of interaction for testing the little MUA i maintain for quite some years. I also have used its code for affirmation purposes. (Interesting that OAUTHBEARER treats hostname and port as optional. I currently do OAUTHBEARER.)
So then i stumbled over GSSAPI not being usable anymore with the latest release, but it seems there is an ML thread with a fix. I have not tried it, i reverted to the last release here, though.
When i implemented EXTERNAL authentication last year i could not figure out how to make postfix+dovecot-SASL work with it. First of all i had to switch configs back and forth, but in the meantime i learned a very nice trick: if i use two password databases
passdb { driver = passwd-file mechanisms = external args = /etc/dovecot/pass-external.db override_fields = nopassword } passdb { driver = passwd-file args = /etc/dovecot/pass.db } userdb { driver = passwd }
which are effectively the same except that one does not have passwords while the other has, i can use EXTERNAL (with and without additional user-via-protocol in combination with auth_ssl_username_from_cert=yes and it just works!
Whereas EXTERNAL works just fine for IMAP and POP3 it does not for SMTP. Last year when i did it i saw a postfix ML thread in action, so i have not looked further into that. Looking again with things unchanged in the postfix 3.5 that they mentioned by then i think, i now posted to the postfix list myself yesterday [1], and it turned out that postfix seems incapable to do something about it, because the dovecot auth protocol does not offer the possibility to specify a valid-user-certificate-seen flag as well as pass the username from the certificate. (Or even pass the entire certificate as a base64 string, less postfix CA, .. or whatever.)
[1] https://marc.info/?l=postfix-users&m=159785887710910&w=2
What is really terrible with the current situation is that postfix announces the EXTERNAL, with Wietse Venema saying
Short summary: Postfix does not implement a single iota of SASL AUTH support. Postfix simply propagates the names of mechanisms that the backend (Cyrus or Dovecot) claims to support, and Postfix proxies requests and responses between the remote SMTP client and the SASL backend. Postfix has no idea what SASL mechanisms are, including EXTERNAL. It just proxies stuff.
If Dovecot claims to support SASL EXTERNAL but does not handle it, that that is a bit of a WTF.
It would be tremendous to have true EXTERNAL support all through, i personally really like EXTERNAL, i would rather have some password-protected crytographically secured certificates in my local store, and have client certificates in all the IoT devices, than have to mess around with the OAUTH that the major players press forward, for example.
Thanks, and Ciao from Germany,
--steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)