> On 21/08/2020 17:56 Steffen Nurpmeso <stef...@sdaoden.eu> wrote: > > > Aki Tuomi wrote in > <1907575568.4364.1597984769...@appsuite-dev-gw1.open-xchange.com>: > |> On 21/08/2020 02:17 Steffen Nurpmeso <stef...@sdaoden.eu> wrote: > ... > |> Wietse Venema wrote in > |> <4bxstk189nzj...@spike.porcupine.org>: > |> ... > |>|Steffen Nurpmeso: > |> ... > |>|> until SASL says it is done?!. How could EXTERNAL ever work like > |>|> that in a client/server->auth-server situation? > ... > |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions > |>|two attributes that might be relevant, and that Postfix can send: > |>| > |>|secured > |>| Remote user has secured transport to auth client] (eg. localhost, \ > |>| SSL, TLS) > |>| > |>|valid-client-cert > |>| Remote user has presented a valid SSL certificate. > |>| > |>|But these are booleans. What protocol attribute would Postfix use > |>|to pass certificate name information (and which name, as there > |>|can be any number of them)? > ... > |I was trying to suggest that you could try dovecot submission server. \ > |It might work better with EXTERNAL authentication. > > Ok, thanks. Yes, i just faked it for my tests, carrying over the > IMAP/POP3 communication. (I use your output as a template and do > stuff like > > smtp_script smtp -Ssmtp-config=-all,starttls,externanon \ > -Stls-config-pairs=Certificate=client-pair.pem > { smtp_ehlo && printf '\001 > STARTTLS > \003 > 220 2.0.0 Ready to start TLS > ' && > smtp_ehlo 0 && printf '\001 > AUTH EXTERNAL = > ' && > smtp_auth_ok && smtp_go; } | > ../net-test -U -s .t.sh > "${MBOX}" 2>&1 > check auth-7 0 "${MBOX}" '4294967295 0' > > you know. Terrible this does not work for GSSAPI, i am about to > ask the MIT people to add two pseudo credentials, one which always > works and one which does not, so that automatic testing is > possible at all, and via unpriviledged account!) > > But wouldn't this be an improvement, extending the protocol so > that it announces a fingerprint checksum digest, which then can be > used in return to report client certificate fingerprints to the > dovecot auth server? Like that even client certificate > verification could be handled by dovecot auth, aka via SASL, and > administrators would have to take care for one user database only? > > Other than that i say > Ciao from Germany! > > --steffen > | > |Der Kragenbaer, The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt)
Sorry for duplicate mail, I accidentically pressed too many keys... *sigh* Anyways, I'm not sure if you understood my point, I ment, have you tried EXTERNAL auth with https://doc.dovecot.org/admin_manual/submission_server/ ? Aki
