Selective authentication mechanism

Aki Tuomi aki.tuomi at dovecot.fi
Fri Feb 16 09:56:43 EET 2018



On 14.02.2018 20:39, Brian Topping wrote:
> Hi all!
>
> I have been using GSSAPI authentication method for all my externally reachable endpoints for some time under the theory that they cannot be hit with a dictionary attack. Unfortunately, this means iOS devices cannot log in since they (oddly) cannot use GSSAPI. I say “oddly” because desktop Mac mail can use GSSAPI just fine and https://samuelyates.wordpress.com/2013/10/11/kerberos-single-sign-on-in-ios-7/ goes through how to set it up for web pages.
>
> In any event, what I’m looking to do is use a filter (https://wiki.dovecot.org/ConfigFile#Filters) around the auth_mechanisms such that it will allow plain authentication when the client is on a local network or the VPN. Unfortunately, the fine print on filters says "These filters work for most of the settings, but most importantly auth settings currently only support the protocol filter”.
>
> I guess it’s kind of academic, but I thought I’d ask why this is a limitation? If there is not a profound security reason to not support this, is this a good enough use case to consider it?
>
> Thanks! Brian

Hi Brian,

you can return allo_nets in your passdb to limit which networks the
passdb is valid for. See
https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets

Aki



More information about the dovecot mailing list