Alexander Leidinger via Postfix-users:
> Am 2024-12-22 01:39, schrieb Peter via Postfix-users:
> > On 22/12/24 02:54, Michael Tokarev via Postfix-users wrote:
> >>
> >> However, there are other mechanisms being developed, for example
> >> OAUTH2,
> >> which, in terms of Cyrus SASL, does not work with saslauthd at all,
> >
> > I don't see why it wouldn't.
> >
> >> so
> >> needs direct integration within postfix in a form of plugin.
> >
> > I don't see why we would need such plugins in Postfix, but if the need
> > arises I suppose libgsasl might be an option, if someone wants to put
> > the work into it.
> >
> >> Should such mechanisms be avoided in Postfix?
> >
> > When it comes to OAUTH the actual SASL interface simply needs to accept
> > a bearer token and then works pretty much the same as PLAIN would work.
> > Dovecot supports this, I can't speak for whether Cyrus does but I don't
> > see why it wouldn't, or why it would be particularly difficult.
> >
> > That said, OAUTH requires a whole other supporting interface which is
> > used to generate the token to begin with, and this is likely beyond the
> > scope of the SASL interface (and should remain so). It likely requires
> > a web server interface to authenticate the user and either directly
> > supply the token or possibly supply the token to a third-party app via
> > an API (after authenticating the user via the web interface). Neither
> > Postfix nor the SASL backend should have to worry about this aspect of
> > OAUTH, though.
>
> I haven't followed the entire discussion, I just have seen this messages
> and the ones after it. As a data point, I use OAUTH2 with postfix /
> dovecot since a long time (a year or two/three). The webmail interface I
> use is authenticating against dovecot and uses the same user/oauth token
> for it's authentication against postfix. Works like a charm and neither
> postfix nor dovecot need to worry about how to generate the token,
> that's up to the client which talks to them (unfortunately I haven't
> found a client for android which supports OAUTH for mail reading/sending
> yet... Aqua Mail is supposed to be able to do that for GMail and
> Outlook, but with my own IMAP/SMTP/OIDC servers I do not see/find how to
> achieve this).
>
> The corresponding postfix login looks like this:
> Dec 22 15:33:43 xxx postfix/smtpd[34391]: 55E958DF6:
> client=xxx[1.2.3.4], sasl_method=XOAUTH2, sasl_username=xxx
That is good news. Do you have essential examples for configuration
that I can include in Postfix documentation?
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
