[Dovecot] Re: PATCH: Dovecot SASL authentication for Postfix 2.3-20051220
I'm adding the finishing touch to the Postfix Dovecot plug-in, to be released with snapshot 20051223. The plug-in code quality is generally very good.
I had two observations, both of minor importance:
The authentication server protocol uses the TAB character as a delimiter, so it is critical that legitimate user names don't contain this character. This is of course trivial to ensure with the authentication server implementation, so I will not worry about it.
I noticed that the plug-in did not satisfy one Postfix principle, namely that operations be bounded in time. I added a time limit for connect, read and write operations. Postfix will time-bound all operations anyway, but the diagnostics of the watchdog timer are less specific and therefore less useful.
Wietse
On 23.12.2005, at 17:11, Wietse Venema wrote:
- The authentication server protocol uses the TAB character as a delimiter, so it is critical that legitimate user names don't contain this character. This is of course trivial to ensure with the authentication server implementation, so I will not worry about it.
Oh, right. Actually the replies may contain \001 escaped characters:
\001 1 -> \001 \001 t -> TAB \001 n -> LF
But in practice none of these should ever come. I haven't yet bothered to make Dovecot itself even unescape these internally. Maybe that could even be considered a feature. Usernames having TABs or LFs could cause all kinds of other trouble.
participants (2)
-
Timo Sirainen
-
wietse@porcupine.org