auth_policy in a non-authenticating proxy chain
Peter Mogensen
apm at one.com
Thu Dec 14 09:30:20 EET 2017
Hi,
I was looking into the new Authentication Policy feature:
https://wiki2.dovecot.org/Authentication/Policy
I had kinda hoped that I would be able to enfore this in a proxy running
in front of several backends. This proxy does not authenticate. It use
"nopassword".
But I realize that the "succes" reported in the final authpolicy req.
(command=report) is not what is actaully happening on the IMAP protocol
level, but rather the result of the passdb chain in the proxy.
(I should probably have predicted this, it's kinda reasonable).
However... since the proxy use "nopassword", ALL passdb lookups result
in "success", so the proxy will never report an authentication failure
to the authpolicy server.
This, of course, forces me to do the authpolicy check on the backend
with a shared state, but It would still have been nice to have the proxy
being able to do the first "command=allow" req. and reject attemps
already there even though the backend does "command=report".
/Peter
More information about the dovecot
mailing list