Proxying of non "plain" SASL mechnisms.
Peter Mogensen
apm at one.com
Wed Mar 18 07:50:33 UTC 2015
On 2015-03-18 00:47, Timo Sirainen wrote:
> - If auth proxying is enabled, perform passdb lookup on non-plaintext
> auth on the initial SASL response. Return "finished" to the auth
> client with some "mech-proxy=y" extra field, so it knows to start
> proxying the SASL session to the destination server.
This is actually the tricky part.
To perform a problemer passdb lookup, the proxy will have to be able to
decode the user from the SASL IR even though it might not be able to
authenticate. This requires knowledge of the SASL IR format (like
extracting authz-id/authn-id from the PLAIN argument).
That might not be possible for all SASL mechanisms. With GS2-KRB5 you
can always get authz-id. On the other hand, mechanisms like GSSAPI
(which would work for other reasons) requires the actually perform the
authentication before authz-id can be known.
So ... it might be a bit difficult to precisely define which mechanism
such a feature covers and which it doesn't.
/Peter
More information about the dovecot
mailing list