<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
</div>
<blockquote type="cite">
<div>
On 20/08/2020 17:28 Steffen Nurpmeso <<a href="mailto:steffen@sdaoden.eu">steffen@sdaoden.eu</a>> wrote:
</div>
<div>
</div>
<div>
</div>
<div>
Hello.
</div>
<div>
</div>
<div>
I am not subscribed and new here, so first of all i want to thank
</div>
<div>
you for dovecot. I personally do not use it in "production"
</div>
<div>
(yet), but it is my sole point of interaction for testing the
</div>
<div>
little MUA i maintain for quite some years. I also have used its
</div>
<div>
code for affirmation purposes. (Interesting that OAUTHBEARER
</div>
<div>
treats hostname and port as optional. I currently do
</div>
<div>
OAUTHBEARER.)
</div>
<div>
</div>
<div>
So then i stumbled over GSSAPI not being usable anymore with the
</div>
<div>
latest release, but it seems there is an ML thread with a fix.
</div>
<div>
I have not tried it, i reverted to the last release here, though.
</div>
<div>
</div>
<div>
When i implemented EXTERNAL authentication last year i could not
</div>
<div>
figure out how to make postfix+dovecot-SASL work with it. First
</div>
<div>
of all i had to switch configs back and forth, but in the meantime
</div>
<div>
i learned a very nice trick: if i use two password databases
</div>
<div>
</div>
<div>
passdb {
</div>
<div>
driver = passwd-file
</div>
<div>
mechanisms = external
</div>
<div>
args = /etc/dovecot/pass-external.db
</div>
<div>
override_fields = nopassword
</div>
<div>
}
</div>
<div>
passdb {
</div>
<div>
driver = passwd-file
</div>
<div>
args = /etc/dovecot/pass.db
</div>
<div>
}
</div>
<div>
userdb {
</div>
<div>
driver = passwd
</div>
<div>
}
</div>
<div>
</div>
<div>
which are effectively the same except that one does not have
</div>
<div>
passwords while the other has, i can use EXTERNAL (with and
</div>
<div>
without additional user-via-protocol in combination with
</div>
<div>
auth_ssl_username_from_cert=yes and it just works!
</div>
<div>
</div>
<div>
Whereas EXTERNAL works just fine for IMAP and POP3 it does not for
</div>
<div>
SMTP. Last year when i did it i saw a postfix ML thread in
</div>
<div>
action, so i have not looked further into that. Looking again
</div>
<div>
with things unchanged in the postfix 3.5 that they mentioned by
</div>
<div>
then i think, i now posted to the postfix list myself yesterday
</div>
<div>
[1], and it turned out that postfix seems incapable to do
</div>
<div>
something about it, because the dovecot auth protocol does not
</div>
<div>
offer the possibility to specify a valid-user-certificate-seen
</div>
<div>
flag as well as pass the username from the certificate. (Or even
</div>
<div>
pass the entire certificate as a base64 string, less postfix CA,
</div>
<div>
.. or whatever.)
</div>
<div>
</div>
<div>
[1] <a href="https://marc.info/?l=postfix-users&m=159785887710910&w=2" target="_blank" rel="noopener">https://marc.info/?l=postfix-users&m=159785887710910&w=2</a>
</div>
<div>
</div>
<div>
What is really terrible with the current situation is that postfix
</div>
<div>
announces the EXTERNAL, with Wietse Venema saying
</div>
<div>
</div>
<div>
Short summary: Postfix does not implement a single iota of SASL
</div>
<div>
AUTH support. Postfix simply propagates the names of mechanisms
</div>
<div>
that the backend (Cyrus or Dovecot) claims to support, and Postfix
</div>
<div>
proxies requests and responses between the remote SMTP client and
</div>
<div>
the SASL backend. Postfix has no idea what SASL mechanisms are,
</div>
<div>
including EXTERNAL. It just proxies stuff.
</div>
<div>
</div>
<div>
If Dovecot claims to support SASL EXTERNAL but does not handle it,
</div>
<div>
that that is a bit of a WTF.
</div>
<div>
</div>
<div>
It would be tremendous to have true EXTERNAL support all through,
</div>
<div>
i personally really like EXTERNAL, i would rather have some
</div>
<div>
password-protected crytographically secured certificates in my
</div>
<div>
local store, and have client certificates in all the IoT devices,
</div>
<div>
than have to mess around with the OAUTH that the major players
</div>
<div>
press forward, for example.
</div>
<div>
</div>
<div>
Thanks,
</div>
<div>
and Ciao from Germany,
</div>
<div>
</div>
<div>
--steffen
</div>
<div>
|
</div>
<div>
|Der Kragenbaer, The moon bear,
</div>
<div>
|der holt sich munter he cheerfully and one by one
</div>
<div>
|einen nach dem anderen runter wa.ks himself off
</div>
<div>
|(By Robert Gernhardt)
</div>
</blockquote>
<div>
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>