[EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.

Michael Peddemors michael at linuxmagic.com
Fri Aug 21 18:17:16 EEST 2020


Just another reminder..

https://github.com/dovecot/core/pull/86

This will allow plugins to make 'capability' advertisements more dynamic..

On 2020-08-21 7:56 a.m., Steffen Nurpmeso wrote:
> Aki Tuomi wrote in
>   <1907575568.4364.1597984769802 at appsuite-dev-gw1.open-xchange.com>:
>   |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
>   ...
>   |>   Wietse Venema wrote in
>   |>    <4BXSTk189nzJrP3 at spike.porcupine.org>:
>   |>    ...
>   |>|Steffen Nurpmeso:
>   |>    ...
>   |>|> until SASL says it is done?!.  How could EXTERNAL ever work like
>   |>|> that in a client/server->auth-server situation?
>   ...
>   |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions
>   |>|two attributes that might be relevant, and that Postfix can send:
>   |>|
>   |>|secured
>   |>|    Remote user has secured transport to auth client] (eg. localhost, \
>   |>|    SSL, TLS)
>   |>|
>   |>|valid-client-cert
>   |>|    Remote user has presented a valid SSL certificate.
>   |>|
>   |>|But these are booleans. What protocol attribute would Postfix use
>   |>|to pass certificate name information (and which name, as there
>   |>|can be any number of them)?
>   ...
>   |I was trying to suggest that you could try dovecot submission server. \
>   |It might work better with EXTERNAL authentication.
> 
> Ok, thanks.  Yes, i just faked it for my tests, carrying over the
> IMAP/POP3 communication.  (I use your output as a template and do
> stuff like
> 
>          smtp_script smtp -Ssmtp-config=-all,starttls,externanon \
>             -Stls-config-pairs=Certificate=client-pair.pem
>          { smtp_ehlo && printf '\001
>    STARTTLS
>    \003
>    220 2.0.0 Ready to start TLS
>    ' &&
>             smtp_ehlo 0 && printf '\001
>    AUTH EXTERNAL =
>    ' &&
>             smtp_auth_ok && smtp_go; } |
>             ../net-test -U -s .t.sh > "${MBOX}" 2>&1
>          check auth-7 0 "${MBOX}" '4294967295 0'
> 
> you know.  Terrible this does not work for GSSAPI, i am about to
> ask the MIT people to add two pseudo credentials, one which always
> works and one which does not, so that automatic testing is
> possible at all, and via unpriviledged account!)
> 
> But wouldn't this be an improvement, extending the protocol so
> that it announces a fingerprint checksum digest, which then can be
> used in return to report client certificate fingerprints to the
> dovecot auth server?  Like that even client certificate
> verification could be handled by dovecot auth, aka via SASL, and
> administrators would have to take care for one user database only?
> 
> Other than that i say
> Ciao from Germany!
> 
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
> 



-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.


More information about the dovecot mailing list