Loading ...
Sorry, an error occurred while loading the content.

sasl parameters missing

Expand Messages
  • Daniel Black
    Story is I deployed a webmail with certificate based authentication that substitues a global master password
    Message 1 of 3 , Aug 4 3:10 PM
    • 0 Attachment
      Story is I deployed a webmail with certificate based authentication that
      substitues a global master password
      (http://wiki.dovecot.org/Authentication/MasterUsers) when the certificate
      matches. The webmail accesses the inbox by imap and reuses the password for
      smtp through postfix.

      I configured dovecot sasl authentication to allow a particular global password
      to be allowed from one IP address of the webmail server. Unfortuanately it
      seems as though postfix doesn't pass rip= (remote ip) or the other AUTH
      parameters of the protocol (http://dovecot.org/doc/auth-protocol.txt).

      Is adding these parameters to postfix's sasl authentication a useful feature
      request?

      Should I be doing this another way?


      --

      Daniel Black
      --
      Proudly a Gentoo Linux User.
      Gnu-PG/PGP signed and encrypted email preferred
      http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x76677097
      GPG Signature D934 5397 A84A 6366 9687 9EB2 861A 4ABA 7667 7097
    • Wietse Venema
      ... Postfix passes the information in the SMTP client s AUTH command. This is how I got the Dovecot extension from Timo. If someone is willing to monitor his
      Message 2 of 3 , Aug 4 4:30 PM
      • 0 Attachment
        Daniel Black:
        > Story is I deployed a webmail with certificate based authentication that
        > substitues a global master password
        > (http://wiki.dovecot.org/Authentication/MasterUsers) when the certificate
        > matches. The webmail accesses the inbox by imap and reuses the password for
        > smtp through postfix.
        >
        > I configured dovecot sasl authentication to allow a particular global password
        > to be allowed from one IP address of the webmail server. Unfortuanately it
        > seems as though postfix doesn't pass rip= (remote ip) or the other AUTH
        > parameters of the protocol (http://dovecot.org/doc/auth-protocol.txt).

        Postfix passes the information in the SMTP client's AUTH command.
        This is how I got the Dovecot extension from Timo. If someone is
        willing to monitor his docs for changes, then they are welcome to
        do so. I won't.

        > Is adding these parameters to postfix's sasl authentication a useful feature
        > request?
        >
        > Should I be doing this another way?

        Just whitelist the client with:

        /etc/postfix/main.cf:
        smtpd_recipient_restrictions =
        ...
        check_client_access hash:/etc/postfix/sasl_whitelist
        permit_sasl_authenticated
        ...

        /etc/postfix/sasl_whitelist:
        1.2.3.4 OK

        Wietse
      • Daniel Black
        Thanks Wietse, ... it seems fairly stable. Going off the doc/auth-protocol.txt changelog Nov 12 2006 lport/rport was added. Aug 07 2005 changed
        Message 3 of 3 , Aug 5 5:38 AM
        • 0 Attachment
          Thanks Wietse,

          On Tue, 5 Aug 2008 09:30:44 am Wietse Venema wrote:
          > Postfix passes the information in the SMTP client's AUTH command.
          > This is how I got the Dovecot extension from Timo. If someone is
          > willing to monitor his docs for changes,

          it seems fairly stable. Going off the doc/auth-protocol.txt changelog
          Nov 12 2006 lport/rport was added.
          Aug 07 2005 changed valid-client-cert to ssl-valid-cert
          Oct 22 2004 original documentation

          Current implementation of the authentication server in dovecot seems to ignore
          parameters it doesn't understand.

          > then they are welcome to do so. I won't.

          On the basis of this apparent stability and compatibility would you consider
          accepting a patch?

          > > Is adding these parameters to postfix's sasl authentication a useful
          > > feature request?
          > >
          > > Should I be doing this another way?
          >
          > Just whitelist the client with:
          >
          good idea. Though by offering smtp services to users I don't think I can get
          away with something so simple.

          Strictly speaking don't need the web mail to authenticate though I like the
          added anti-spoofing protection it provides.

          I guess a password so long that it isn't realistically brute-forceable will
          do.

          --

          Daniel Black
          --
          Proudly a Gentoo Linux User.
          Gnu-PG/PGP signed and encrypted email preferred
          http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x76677097
          GPG Signature D934 5397 A84A 6366 9687 9EB2 861A 4ABA 7667 7097
        Your message has been successfully submitted and would be delivered to recipients shortly.