Hey folks,
I've been using the ever popular Dovecot and Postfix combo for years. A while back I also introduced mutual TLS for mail clients to Dovecot and Postfix. I achieved this by a custom checkpassword script and SASL AUTH EXTERNAL for IMAP.
This all worked great with clients like Thunderbird, which can be configured to use mutual TLS and SASL EXTERNAL for IMAP, and mutual TLS with no additional authentication for SMTP. However, I found that other mail clients, in particular K-9 mail on Android, [1] are not compatible with this configuration.
I've been patching K-9 mail to work around this issue for some time now. If I configure K-9 to behave like Thunderbird when sending messages via SMTP, all is well. However, there's been some activity on an issue [2] which suggests some changes may be upcoming which will be incompatible with my patch.
Without my patch, K-9 tries to auth with Postfix via AUTH EXTERNAL after presenting its client certificate. Despite configuring Postfix to prefer certificates before SASL, Postfix forwards the authentication request to Dovecot, which rejects it without even trying my checkpassword script.
With my patch, K-9 simply initiates an SMTP connection without any additional authentication when mutual TLS is used. This behavior is similar to Thunderbird. The K-9 maintainers do not seem interested in merging this behavior into mainline.
I can't seem to get Postfix to ignore the SASL failures in the case of successful mutual TLS. I want to use SASL authentication as a fallback from untrusted clients, where I use a combination of password and one time code.
Even if Dovecot did not reject the AUTH EXTERNAL request from Postfix, I'm not sure how it could determine whether a valid client certificate were presented to Postfix, unless some additional information were passed along in the SASL request.
I'd love to hear any thoughts from the community on how to move forward here. Should I pressure the K-9 maintainers to behave more like other clients? Would it make sense to extend the SASL interface in some way such that Dovecot could handle an EXTERNAL request from Postfix? Or should Postfix simply ignore SASL EXTERNAL based on the configured authentication mechanism order?
Thanks, Matt
[1] https://github.com/k9mail/k-9/ [2] https://github.com/k9mail/k-9/issues/793
-- Matt Horan matt@matthoran.com http://matthoran.com/