Am 2024-12-22 01:39, schrieb Peter via Postfix-users:
On 22/12/24 02:54, Michael Tokarev via Postfix-users wrote:However, there are other mechanisms being developed, for example OAUTH2,which, in terms of Cyrus SASL, does not work with saslauthd at all,I don't see why it wouldn't.so needs direct integration within postfix in a form of plugin.I don't see why we would need such plugins in Postfix, but if the need arises I suppose libgsasl might be an option, if someone wants to put the work into it.Should such mechanisms be avoided in Postfix?When it comes to OAUTH the actual SASL interface simply needs to accept a bearer token and then works pretty much the same as PLAIN would work. Dovecot supports this, I can't speak for whether Cyrus does but I don't see why it wouldn't, or why it would be particularly difficult.That said, OAUTH requires a whole other supporting interface which is used to generate the token to begin with, and this is likely beyond the scope of the SASL interface (and should remain so). It likely requires a web server interface to authenticate the user and either directly supply the token or possibly supply the token to a third-party app via an API (after authenticating the user via the web interface). Neither Postfix nor the SASL backend should have to worry about this aspect of OAUTH, though.
I haven't followed the entire discussion, I just have seen this messages and the ones after it. As a data point, I use OAUTH2 with postfix / dovecot since a long time (a year or two/three). The webmail interface I use is authenticating against dovecot and uses the same user/oauth token for it's authentication against postfix. Works like a charm and neither postfix nor dovecot need to worry about how to generate the token, that's up to the client which talks to them (unfortunately I haven't found a client for android which supports OAUTH for mail reading/sending yet... Aqua Mail is supposed to be able to do that for GMail and Outlook, but with my own IMAP/SMTP/OIDC servers I do not see/find how to achieve this).
The corresponding postfix login looks like this:Dec 22 15:33:43 xxx postfix/smtpd[34391]: 55E958DF6: client=xxx[1.2.3.4], sasl_method=XOAUTH2, sasl_username=xxx
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
