Hi all! I have been using GSSAPI authentication method for all my externally reachable endpoints for some time under the theory that they cannot be hit with a dictionary attack. Unfortunately, this means iOS devices cannot log in since they (oddly) cannot use GSSAPI. I say “oddly” because desktop Mac mail can use GSSAPI just fine and https://samuelyates.wordpress.com/2013/10/11/kerberos-single-sign-on-in-ios-7/ goes through how to set it up for web pages.
In any event, what I’m looking to do is use a filter (https://wiki.dovecot.org/ConfigFile#Filters) around the auth_mechanisms such that it will allow plain authentication when the client is on a local network or the VPN. Unfortunately, the fine print on filters says "These filters work for most of the settings, but most importantly auth settings currently only support the protocol filter”. I guess it’s kind of academic, but I thought I’d ask why this is a limitation? If there is not a profound security reason to not support this, is this a good enough use case to consider it? Thanks! Brian
signature.asc
Description: Message signed with OpenPGP
