Alexander Leidinger via Postfix-users: > Am 2024-12-22 01:39, schrieb Peter via Postfix-users: > > On 22/12/24 02:54, Michael Tokarev via Postfix-users wrote: > >> > >> However, there are other mechanisms being developed, for example > >> OAUTH2, > >> which, in terms of Cyrus SASL, does not work with saslauthd at all, > > > > I don't see why it wouldn't. > > > >> so > >> needs direct integration within postfix in a form of plugin. > > > > I don't see why we would need such plugins in Postfix, but if the need > > arises I suppose libgsasl might be an option, if someone wants to put > > the work into it. > > > >> Should such mechanisms be avoided in Postfix? > > > > When it comes to OAUTH the actual SASL interface simply needs to accept > > a bearer token and then works pretty much the same as PLAIN would work. > > Dovecot supports this, I can't speak for whether Cyrus does but I don't > > see why it wouldn't, or why it would be particularly difficult. > > > > That said, OAUTH requires a whole other supporting interface which is > > used to generate the token to begin with, and this is likely beyond the > > scope of the SASL interface (and should remain so). It likely requires > > a web server interface to authenticate the user and either directly > > supply the token or possibly supply the token to a third-party app via > > an API (after authenticating the user via the web interface). Neither > > Postfix nor the SASL backend should have to worry about this aspect of > > OAUTH, though. > > I haven't followed the entire discussion, I just have seen this messages > and the ones after it. As a data point, I use OAUTH2 with postfix / > dovecot since a long time (a year or two/three). The webmail interface I > use is authenticating against dovecot and uses the same user/oauth token > for it's authentication against postfix. Works like a charm and neither > postfix nor dovecot need to worry about how to generate the token, > that's up to the client which talks to them (unfortunately I haven't > found a client for android which supports OAUTH for mail reading/sending > yet... Aqua Mail is supposed to be able to do that for GMail and > Outlook, but with my own IMAP/SMTP/OIDC servers I do not see/find how to > achieve this). > > The corresponding postfix login looks like this: > Dec 22 15:33:43 xxx postfix/smtpd[34391]: 55E958DF6: > client=xxx[1.2.3.4], sasl_method=XOAUTH2, sasl_username=xxx
That is good news. Do you have essential examples for configuration that I can include in Postfix documentation? Wietse _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org