22.12.2024 03:39, Peter via Postfix-users wrote:
On 22/12/24 02:54, Michael Tokarev via Postfix-users wrote:
However, there are other mechanisms being developed, for example OAUTH2,
which, in terms of Cyrus SASL, does not work with saslauthd at all,
I don't see why it wouldn't.
saslauthd has very simple protocol, basically: read(username,password),
write(ok|bad). It doesn't read anything else like dovecot auth does,
it's basically just a password verifier. For any other mechanism, other
components are needed too (eg, client address).
so
needs direct integration within postfix in a form of plugin.
I don't see why we would need such plugins in Postfix, but if the need arises I suppose libgsasl might be an option, if someone wants to put the work
into it.
Postfix don't "need" such plugins, but it already is *using* such plugins
when it makes use of cyrus sasl library with "pwcheck_method: auxprop"
(which is just an alternative to the very limited by the protocol
"pwcheck_method: saslauthd").
Should such mechanisms be avoided in Postfix?
When it comes to OAUTH the actual SASL interface simply needs to accept a bearer token and then works pretty much the same as PLAIN would work.
Dovecot supports this, I can't speak for whether Cyrus does but I don't see why it wouldn't, or why it would be particularly difficult.
In Cyrus SASL this is implemented as a plugin which gets loaded into
the Postfix address space.
Aha. Thank you for this. I suspected it's the case - while looking
at the code and searching the 'net.
It might be prudent to at least update the Postfix documentation to state that Postfix supports all of the mechs that Dovecot supports to help avoid
this sort of confusion in the future.
Yes, that'd help such neophytes like me.
As I already mentioned, people do use other SASL mechanisms with Cyrus
SASL configuration (since dovecot sasl is an integral part of dovecot,
and not everyone uses dovecot).
This implies the assumption that you must already be using Dovecot for other purposes if you want to use it for a SASL backend, this is simply not
true, and it is very easy to configure Dovecot to act only as a SAL backend, in fact here is a Dovecot config I use on a server to do exactly that:
It is not true for you, but not for most others who treat dovecot like
a mailbox storage/access solution (IMAP/POP/etc). Sure it is capable
to provide just the auth part, it's just not what people think about it.
I'm not sure I understand the "LDAP service as a password oracle" choice, -
who does the SASL verification in there?
Are you maybe confusing client auth (via smtp) with server auth (smtpd)?
Server auth has two possible backends...
I'm not confusing the two, that's exactly why I asked :)
Thanks,
/mjt
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
