dovecot-SASL for Postfix: EXTERNAL does not work.

Steffen Nurpmeso steffen at
Thu Aug 20 17:28:58 EEST 2020


I am not subscribed and new here, so first of all i want to thank
you for dovecot.  I personally do not use it in "production"
(yet), but it is my sole point of interaction for testing the
little MUA i maintain for quite some years.  I also have used its
code for affirmation purposes.  (Interesting that OAUTHBEARER
treats hostname and port as optional.  I currently do

So then i stumbled over GSSAPI not being usable anymore with the
latest release, but it seems there is an ML thread with a fix.
I have not tried it, i reverted to the last release here, though.

When i implemented EXTERNAL authentication last year i could not
figure out how to make postfix+dovecot-SASL work with it.  First
of all i had to switch configs back and forth, but in the meantime
i learned a very nice trick: if i use two password databases

  passdb {
    driver = passwd-file
    mechanisms = external
    args = /etc/dovecot/pass-external.db
    override_fields = nopassword
  passdb {
    driver = passwd-file
    args = /etc/dovecot/pass.db
  userdb {
    driver = passwd

which are effectively the same except that one does not have
passwords while the other has, i can use EXTERNAL (with and
without additional user-via-protocol in combination with
auth_ssl_username_from_cert=yes and it just works!

Whereas EXTERNAL works just fine for IMAP and POP3 it does not for
SMTP.  Last year when i did it i saw a postfix ML thread in
action, so i have not looked further into that.  Looking again
with things unchanged in the postfix 3.5 that they mentioned by
then i think, i now posted to the postfix list myself yesterday
[1], and it turned out that postfix seems incapable to do
something about it, because the dovecot auth protocol does not
offer the possibility to specify a valid-user-certificate-seen
flag as well as pass the username from the certificate.  (Or even
pass the entire certificate as a base64 string, less postfix CA,
.. or whatever.)


What is really terrible with the current situation is that postfix
announces the EXTERNAL, with Wietse Venema saying

  Short summary: Postfix does not implement a single iota of SASL
  AUTH support. Postfix simply propagates the names of mechanisms
  that the backend (Cyrus or Dovecot) claims to support, and Postfix
  proxies requests and responses between the remote SMTP client and
  the SASL backend. Postfix has no idea what SASL mechanisms are,
  including EXTERNAL. It just proxies stuff.

  If Dovecot claims to support SASL EXTERNAL but does not handle it,
  that that is a bit of a WTF.

It would be tremendous to have true EXTERNAL support all through,
i personally really like EXTERNAL, i would rather have some
password-protected crytographically secured certificates in my
local store, and have client certificates in all the IoT devices,
than have to mess around with the OAUTH that the major players
press forward, for example.

and Ciao from Germany,

|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the dovecot mailing list