Selective authentication mechanism

Brian Topping brian.topping at gmail.com
Wed Feb 14 20:39:50 EET 2018


Hi all!

I have been using GSSAPI authentication method for all my externally reachable endpoints for some time under the theory that they cannot be hit with a dictionary attack. Unfortunately, this means iOS devices cannot log in since they (oddly) cannot use GSSAPI. I say “oddly” because desktop Mac mail can use GSSAPI just fine and https://samuelyates.wordpress.com/2013/10/11/kerberos-single-sign-on-in-ios-7/ goes through how to set it up for web pages.

In any event, what I’m looking to do is use a filter (https://wiki.dovecot.org/ConfigFile#Filters) around the auth_mechanisms such that it will allow plain authentication when the client is on a local network or the VPN. Unfortunately, the fine print on filters says "These filters work for most of the settings, but most importantly auth settings currently only support the protocol filter”.

I guess it’s kind of academic, but I thought I’d ask why this is a limitation? If there is not a profound security reason to not support this, is this a good enough use case to consider it?

Thanks! Brian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180214/d43c9184/attachment.sig>


More information about the dovecot mailing list