[EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.

Aki Tuomi aki.tuomi at open-xchange.com
Fri Aug 21 18:15:14 EEST 2020 

> On 21/08/2020 17:56 Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
> 
>  
> Aki Tuomi wrote in
>  <1907575568.4364.1597984769802 at appsuite-dev-gw1.open-xchange.com>:
>  |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
>  ...
>  |>   Wietse Venema wrote in
>  |>    <4BXSTk189nzJrP3 at spike.porcupine.org>:
>  |>    ...
>  |>|Steffen Nurpmeso:
>  |>    ...
>  |>|> until SASL says it is done?!.  How could EXTERNAL ever work like
>  |>|> that in a client/server->auth-server situation?
>  ...
>  |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions
>  |>|two attributes that might be relevant, and that Postfix can send:
>  |>|
>  |>|secured
>  |>|    Remote user has secured transport to auth client] (eg. localhost, \
>  |>|    SSL, TLS)
>  |>|
>  |>|valid-client-cert
>  |>|    Remote user has presented a valid SSL certificate.
>  |>|
>  |>|But these are booleans. What protocol attribute would Postfix use
>  |>|to pass certificate name information (and which name, as there
>  |>|can be any number of them)?
>  ...
>  |I was trying to suggest that you could try dovecot submission server. \
>  |It might work better with EXTERNAL authentication.
> 
> Ok, thanks.  Yes, i just faked it for my tests, carrying over the
> IMAP/POP3 communication.  (I use your output as a template and do
> stuff like
> 
>         smtp_script smtp -Ssmtp-config=-all,starttls,externanon \
>            -Stls-config-pairs=Certificate=client-pair.pem
>         { smtp_ehlo && printf '\001
>   STARTTLS
>   \003
>   220 2.0.0 Ready to start TLS
>   ' &&
>            smtp_ehlo 0 && printf '\001
>   AUTH EXTERNAL =
>   ' &&
>            smtp_auth_ok && smtp_go; } |
>            ../net-test -U -s .t.sh > "${MBOX}" 2>&1
>         check auth-7 0 "${MBOX}" '4294967295 0'
> 
> you know.  Terrible this does not work for GSSAPI, i am about to
> ask the MIT people to add two pseudo credentials, one which always
> works and one which does not, so that automatic testing is
> possible at all, and via unpriviledged account!)
> 
> But wouldn't this be an improvement, extending the protocol so
> that it announces a fingerprint checksum digest, which then can be
> used in return to report client certificate fingerprints to the
> dovecot auth server?  Like that even client certificate
> verification could be handled by dovecot auth, aka via SASL, and
> administrators would have to take care for one user database only?
> 
> Other than that i say
> Ciao from Germany!
> 
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)

More information about the dovecot mailing list