[EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.
Aki Tuomi
aki.tuomi at open-xchange.com
Fri Aug 21 18:16:20 EEST 2020
> On 21/08/2020 17:56 Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
>
>
> Aki Tuomi wrote in
> <1907575568.4364.1597984769802 at appsuite-dev-gw1.open-xchange.com>:
> |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
> ...
> |> Wietse Venema wrote in
> |> <4BXSTk189nzJrP3 at spike.porcupine.org>:
> |> ...
> |>|Steffen Nurpmeso:
> |> ...
> |>|> until SASL says it is done?!. How could EXTERNAL ever work like
> |>|> that in a client/server->auth-server situation?
> ...
> |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions
> |>|two attributes that might be relevant, and that Postfix can send:
> |>|
> |>|secured
> |>| Remote user has secured transport to auth client] (eg. localhost, \
> |>| SSL, TLS)
> |>|
> |>|valid-client-cert
> |>| Remote user has presented a valid SSL certificate.
> |>|
> |>|But these are booleans. What protocol attribute would Postfix use
> |>|to pass certificate name information (and which name, as there
> |>|can be any number of them)?
> ...
> |I was trying to suggest that you could try dovecot submission server. \
> |It might work better with EXTERNAL authentication.
>
> Ok, thanks. Yes, i just faked it for my tests, carrying over the
> IMAP/POP3 communication. (I use your output as a template and do
> stuff like
>
> smtp_script smtp -Ssmtp-config=-all,starttls,externanon \
> -Stls-config-pairs=Certificate=client-pair.pem
> { smtp_ehlo && printf '\001
> STARTTLS
> \003
> 220 2.0.0 Ready to start TLS
> ' &&
> smtp_ehlo 0 && printf '\001
> AUTH EXTERNAL =
> ' &&
> smtp_auth_ok && smtp_go; } |
> ../net-test -U -s .t.sh > "${MBOX}" 2>&1
> check auth-7 0 "${MBOX}" '4294967295 0'
>
> you know. Terrible this does not work for GSSAPI, i am about to
> ask the MIT people to add two pseudo credentials, one which always
> works and one which does not, so that automatic testing is
> possible at all, and via unpriviledged account!)
>
> But wouldn't this be an improvement, extending the protocol so
> that it announces a fingerprint checksum digest, which then can be
> used in return to report client certificate fingerprints to the
> dovecot auth server? Like that even client certificate
> verification could be handled by dovecot auth, aka via SASL, and
> administrators would have to take care for one user database only?
>
> Other than that i say
> Ciao from Germany!
>
> --steffen
> |
> |Der Kragenbaer, The moon bear,
> |der holt sich munter he cheerfully and one by one
> |einen nach dem anderen runter wa.ks himself off
> |(By Robert Gernhardt)
Sorry for duplicate mail, I accidentically pressed too many keys... *sigh*
Anyways, I'm not sure if you understood my point, I ment, have you tried EXTERNAL auth with https://doc.dovecot.org/admin_manual/submission_server/ ?
Aki
More information about the dovecot
mailing list