Hi all!

I have been using GSSAPI authentication method for all my externally reachable 
endpoints for some time under the theory that they cannot be hit with a 
dictionary attack. Unfortunately, this means iOS devices cannot log in since 
they (oddly) cannot use GSSAPI. I say “oddly” because desktop Mac mail can use 
GSSAPI just fine and 
https://samuelyates.wordpress.com/2013/10/11/kerberos-single-sign-on-in-ios-7/ 
goes through how to set it up for web pages.

In any event, what I’m looking to do is use a filter 
(https://wiki.dovecot.org/ConfigFile#Filters) around the auth_mechanisms such 
that it will allow plain authentication when the client is on a local network 
or the VPN. Unfortunately, the fine print on filters says "These filters work 
for most of the settings, but most importantly auth settings currently only 
support the protocol filter”.

I guess it’s kind of academic, but I thought I’d ask why this is a limitation? 
If there is not a profound security reason to not support this, is this a good 
enough use case to consider it?

Thanks! Brian

Attachment: signature.asc
Description: Message signed with OpenPGP

Reply via email to