[EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.

Steffen Nurpmeso steffen at sdaoden.eu
Fri Aug 21 17:56:25 EEST 2020


Aki Tuomi wrote in
 <1907575568.4364.1597984769802 at appsuite-dev-gw1.open-xchange.com>:
 |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
 ...
 |>   Wietse Venema wrote in
 |>    <4BXSTk189nzJrP3 at spike.porcupine.org>:
 |>    ...
 |>|Steffen Nurpmeso:
 |>    ...
 |>|> until SASL says it is done?!.  How could EXTERNAL ever work like
 |>|> that in a client/server->auth-server situation?
 ...
 |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions
 |>|two attributes that might be relevant, and that Postfix can send:
 |>|
 |>|secured
 |>|    Remote user has secured transport to auth client] (eg. localhost, \
 |>|    SSL, TLS)
 |>|
 |>|valid-client-cert
 |>|    Remote user has presented a valid SSL certificate.
 |>|
 |>|But these are booleans. What protocol attribute would Postfix use
 |>|to pass certificate name information (and which name, as there
 |>|can be any number of them)?
 ...
 |I was trying to suggest that you could try dovecot submission server. \
 |It might work better with EXTERNAL authentication.

Ok, thanks.  Yes, i just faked it for my tests, carrying over the
IMAP/POP3 communication.  (I use your output as a template and do
stuff like

        smtp_script smtp -Ssmtp-config=-all,starttls,externanon \
           -Stls-config-pairs=Certificate=client-pair.pem
        { smtp_ehlo && printf '\001
  STARTTLS
  \003
  220 2.0.0 Ready to start TLS
  ' &&
           smtp_ehlo 0 && printf '\001
  AUTH EXTERNAL =
  ' &&
           smtp_auth_ok && smtp_go; } |
           ../net-test -U -s .t.sh > "${MBOX}" 2>&1
        check auth-7 0 "${MBOX}" '4294967295 0'

you know.  Terrible this does not work for GSSAPI, i am about to
ask the MIT people to add two pseudo credentials, one which always
works and one which does not, so that automatic testing is
possible at all, and via unpriviledged account!)

But wouldn't this be an improvement, extending the protocol so
that it announces a fingerprint checksum digest, which then can be
used in return to report client certificate fingerprints to the
dovecot auth server?  Like that even client certificate
verification could be handled by dovecot auth, aka via SASL, and
administrators would have to take care for one user database only?

Other than that i say
Ciao from Germany!

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)


More information about the dovecot mailing list