Alexander Leidinger via Postfix-users:
> Am 2024-12-22 01:39, schrieb Peter via Postfix-users:
> > On 22/12/24 02:54, Michael Tokarev via Postfix-users wrote:
> >> 
> >> However, there are other mechanisms being developed, for example 
> >> OAUTH2,
> >> which, in terms of Cyrus SASL, does not work with saslauthd at all,
> > 
> > I don't see why it wouldn't.
> > 
> >> so
> >> needs direct integration within postfix in a form of plugin.
> > 
> > I don't see why we would need such plugins in Postfix, but if the need 
> > arises I suppose libgsasl might be an option, if someone wants to put 
> > the work into it.
> > 
> >> Should such mechanisms be avoided in Postfix?
> > 
> > When it comes to OAUTH the actual SASL interface simply needs to accept 
> > a bearer token and then works pretty much the same as PLAIN would work. 
> > Dovecot supports this, I can't speak for whether Cyrus does but I don't 
> > see why it wouldn't, or why it would be particularly difficult.
> > 
> > That said, OAUTH requires a whole other supporting interface which is 
> > used to generate the token to begin with, and this is likely beyond the 
> > scope of the SASL interface (and should remain so).  It likely requires 
> > a web server interface to authenticate the user and either directly 
> > supply the token or possibly supply the token to a third-party app via 
> > an API (after authenticating the user via the web interface).  Neither 
> > Postfix nor the SASL backend should have to worry about this aspect of 
> > OAUTH, though.
> 
> I haven't followed the entire discussion, I just have seen this messages 
> and the ones after it. As a data point, I use OAUTH2 with postfix / 
> dovecot since a long time (a year or two/three). The webmail interface I 
> use is authenticating against dovecot and uses the same user/oauth token 
> for it's authentication against postfix. Works like a charm and neither 
> postfix nor dovecot need to worry about how to generate the token, 
> that's up to the client which talks to them (unfortunately I haven't 
> found a client for android which supports OAUTH for mail reading/sending 
> yet... Aqua Mail is supposed to be able to do that for GMail and 
> Outlook, but with my own IMAP/SMTP/OIDC servers I do not see/find how to 
> achieve this).
> 
> The corresponding postfix login looks like this:
> Dec 22 15:33:43 xxx postfix/smtpd[34391]: 55E958DF6: 
> client=xxx[1.2.3.4], sasl_method=XOAUTH2, sasl_username=xxx

That is good news. Do you have essential examples for configuration
that I can include in Postfix documentation?

        Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to