Dovecot, Postfix, and SASL AUTH EXTERNAL

Matt Horan matt at matthoran.com
Fri Feb 3 04:29:48 UTC 2017 

Hey folks,

I've been using the ever popular Dovecot and Postfix combo for years. A
while back I also introduced mutual TLS for mail clients to Dovecot and
Postfix. I achieved this by a custom checkpassword script and SASL AUTH
EXTERNAL for IMAP.

This all worked great with clients like Thunderbird, which can be
configured to use mutual TLS and SASL EXTERNAL for IMAP, and mutual TLS
with no additional authentication for SMTP. However, I found that other
mail clients, in particular K-9 mail on Android, [1] are not compatible
with this configuration.

I've been patching K-9 mail to work around this issue for some time now.
If I configure K-9 to behave like Thunderbird when sending messages via
SMTP, all is well. However, there's been some activity on an issue [2]
which suggests some changes may be upcoming which will be incompatible
with my patch.

Without my patch, K-9 tries to auth with Postfix via AUTH EXTERNAL after
presenting its client certificate. Despite configuring Postfix to prefer
certificates before SASL, Postfix forwards the authentication request to
Dovecot, which rejects it without even trying my checkpassword script.

With my patch, K-9 simply initiates an SMTP connection without any
additional authentication when mutual TLS is used. This behavior is
similar to Thunderbird. The K-9 maintainers do not seem interested in
merging this behavior into mainline.

I can't seem to get Postfix to ignore the SASL failures in the case of
successful mutual TLS. I want to use SASL authentication as a fallback
from untrusted clients, where I use a combination of password and one
time code.

Even if Dovecot did not reject the AUTH EXTERNAL request from Postfix,
I'm not sure how it could determine whether a valid client certificate
were presented to Postfix, unless some additional information were
passed along in the SASL request.

I'd love to hear any thoughts from the community on how to move forward
here. Should I pressure the K-9 maintainers to behave more like other
clients? Would it make sense to extend the SASL interface in some way
such that Dovecot could handle an EXTERNAL request from Postfix? Or
should Postfix simply ignore SASL EXTERNAL based on the configured
authentication mechanism order?

Thanks,
Matt

[1] https://github.com/k9mail/k-9/
[2] https://github.com/k9mail/k-9/issues/793

-- 
Matt Horan matt at matthoran.com http://matthoran.com/

More information about the dovecot mailing list