On 22/12/24 02:54, Michael Tokarev via Postfix-users wrote:
However, there are other mechanisms being developed, for example OAUTH2,
which, in terms of Cyrus SASL, does not work with saslauthd at all,
I don't see why it wouldn't.
so
needs direct integration within postfix in a form of plugin.
I don't see why we would need such plugins in Postfix, but if the need
arises I suppose libgsasl might be an option, if someone wants to put
the work into it.
Should such mechanisms be avoided in Postfix?
When it comes to OAUTH the actual SASL interface simply needs to accept
a bearer token and then works pretty much the same as PLAIN would work.
Dovecot supports this, I can't speak for whether Cyrus does but I don't
see why it wouldn't, or why it would be particularly difficult.
That said, OAUTH requires a whole other supporting interface which is
used to generate the token to begin with, and this is likely beyond the
scope of the SASL interface (and should remain so). It likely requires
a web server interface to authenticate the user and either directly
supply the token or possibly supply the token to a third-party app via
an API (after authenticating the user via the web interface). Neither
Postfix nor the SASL backend should have to worry about this aspect of
OAUTH, though.
[...] So the
question is whenever non-plaintext mechanisms are actually
supported with dovecot sasl type.
Definitely, but a matter for Dovecot documentation, much more than
Postfix. If dovecot supports mechanism "X", then Postfix with
dovecot as a SASL backend supports mechanism "X"...
Aha. Thank you for this. I suspected it's the case - while looking
at the code and searching the 'net.
It might be prudent to at least update the Postfix documentation to
state that Postfix supports all of the mechs that Dovecot supports to
help avoid this sort of confusion in the future.
As I already mentioned, people do use other SASL mechanisms with Cyrus
SASL configuration (since dovecot sasl is an integral part of dovecot,
and not everyone uses dovecot).
This implies the assumption that you must already be using Dovecot for
other purposes if you want to use it for a SASL backend, this is simply
not true, and it is very easy to configure Dovecot to act only as a SAL
backend, in fact here is a Dovecot config I use on a server to do
exactly that:
passdb {
args = scheme=BLF-CRYPT /etc/dovecot/passwd
driver = passwd-file
}
protocols =
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
ssl = no
I should note that I have not found an example configuration for this
usage documented anywhere online so I had to figure it out myself,
perhaps it would be a good example to document somewhere but may well be
more appropriate for Dovecot documentation.
And for these to work, the code has to
be run directly by postfix components, in a form of plugins, because
saslauthd does not implement anything but PLAIN/LOGIN. This is exactly
the place where it *looks* like postfix needs a proxy of some sort.
Saslauthd already does what's needed for PLAIN/LOGIN, but other mechanisms
doesn't work with it.
I know this is documented in SASL_README but it appears to be a
limitation of saslauthd, not of Postfix. I am curious as to why,
though, does it simply not have backend support for other mechs or is
this old and saslauthd now supports more mechs than PLAIN and LOGIN?
I'm not sure I understand the "LDAP service as a password oracle" choice, -
who does the SASL verification in there?
Are you maybe confusing client auth (via smtp) with server auth (smtpd)?
Server auth has two possible backends, either cyrus or dovecot and
must connect to one of these backend servers to do the actual
authentication. Client auth is only supported for cyrus but here
postfix actually does the authentication itself using the cyrus sasl
libs. It is entirely possible (and even quite common) to have a postfix
server which uses dovecot on the backend for server auth and
authenticates to a relayhost using client auth (which is cyrus).
Peter
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
