[EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.

Aki Tuomi aki.tuomi at open-xchange.com
Fri Aug 21 07:39:29 EEST 2020 

> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
> 
>  
> Hello and good evening.
> 
> Sorry for responding so late, it is midsummer and i spend as much
> time as possible on the outside (bicycle, mostly).  (Just one more
> day, then 10 degrees colder!!)
> 
> I Cc: Wietse Venema, because i quote a message of him.
> (this is "set quote-add-cc" here.)
> 
> Aki Tuomi wrote in
>  <84881193.5398.1597934431687 at appsuite-dev-gw2.open-xchange.com>:
> 
> The dovecot mail archive removed your HTML message :)
> (And given code like
> 
>    <div>
>      
>    </div>
>    <div>
>      
>    </div>
>    <div>
>     Hello.
>    </div>
>    <div>
>      
>    </div>
>    <div>
>     I am not subscribed and new here, so first of all i want to thank
>    </div>
>    <div>
>     you for dovecot. I personally do not use it in "production"
>    </div>
> 
> it was right in doing so :-)
> 
>  ||On 20/08/2020 17:28 Steffen Nurpmeso <[1]steffen at sdaoden.eu[/1]> wrote: 
>  ...
>  ||What is really terrible with the current situation is that postfix 
>  |
>  ||announces the EXTERNAL, with Wietse Venema saying 
> 
> It seems he has read the dovecot documentation again in the
> meantime, different to me :(, so i have to apologise for saying
> 
>  |[1], and it turned out that postfix seems incapable to do
>  |something about it, because the dovecot auth protocol does not
>  |offer the possibility to specify a valid-user-certificate-seen
>  |flag as well as pass the username from the certificate. (Or even
>  |pass the entire certificate as a base64 string, less postfix CA,
>  |.. or whatever.)
> 
> because Wietse Venema now says
> 
>   Wietse Venema wrote in
>    <4BXSTk189nzJrP3 at spike.porcupine.org>:
>    ...
>    |Steffen Nurpmeso:
>    ...
>    |> until SASL says it is done?!.  How could EXTERNAL ever work like
>    |> that in a client/server->auth-server situation?
>    |
>    |There's a chicken and egg question in there somewhere.
>    |
>    |https://wiki1.dovecot.org/Authentication%20Protocol mentions
>    |two attributes that might be relevant, and that Postfix can send:
>    |
>    |secured
>    |    Remote user has secured transport to auth client] (eg. localhost, \
>    |    SSL, TLS)
>    |
>    |valid-client-cert
>    |    Remote user has presented a valid SSL certificate.
>    |
>    |But these are booleans. What protocol attribute would Postfix use
>    |to pass certificate name information (and which name, as there
>    |can be any number of them)?
>    |
>    | Wietse
>    | Wietse
>    --End of <4BXSTk189nzJrP3 at spike.porcupine.org>
> 
> I think i will spend some time tomorrow and try to do some
> coding with postfix.  Let's see wether the immediate response of
> EXTERNAL can work with dovecot's SASL, even in conjunction with
> auth_ssl_username_from_cert=yes that is!
> Otherwise i think what he says here.
> 
>  |You could try out dovecot submission service. It should work better \
>  |with EXTERNAL.
> 
> For the internal test network this may really be an option.  But
> for my web vm: ach, i am not an administrator, it is pain to get
> used to all that.  In real life i use the DMA here, and external
> mail goes via my MUA through ssh only:
> 
>   set mta=/usr/bin/ssh
>   set mta-arguments='steffen at sdaoden.eu /usr/sbin/sendmail -t'
>   set mta-argv0=ssh
> 
> That sendmail is postfix, then.  And there is such a tremendous
> amount of noise in the logs of postfix and the lighttpd web server
> that are available easily from the network, it is terrible.  Even
> with very rigid firewall rules, and things like postfix's error
> limits, junk command limit, record deadlines, timeouts, active
> sleeping in restrictions ...  And for now i would not even know
> whether dovecot has equivalents, nor how to apply this
> correctly.  These are all very capable and highly configurable
> applications.  dovecot for example, i track the source for
> a couple of years, comes with
>  568 files changed, 26488 insertions(+), 6969 deletions(-)
> for my last update (v2.3.10.1 to v2.3.11.3).  This is a lot.
> 
> Thank you.
> And Ciao! and good night from Germany,
> 
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)

I was trying to suggest that you could try dovecot submission server. It might work better with EXTERNAL authentication.

Aki

More information about the dovecot mailing list