On Tue, Dec 28, 2010 at 09:23:14PM -0500, Wietse Venema wrote:
> I have built an event-driven TLS proxy for postscreen(8). This
> addresses the problem that postscreen(8) could not be used when
> SMTP clients require STARTTLS support.
>
> [...]
>
> Next on the agenda is AUTH support, and that is a lot simpler.
Will there be a snapshot with just the TLS proxy, or just a final
snapshot when AUTH support is also done?
Server-side AUTH support for multiple sessions likely cannot be
implemented in a non-blocking fashion without some sort of concurrency,
the SASL library may consult LDAP, or a variety of similar---potentially
high-latency---data sources.
So, unlike the TLS proxy, the AUTH proxy (as e.g. the Cyrus saslauthd
service) may need to be a forking multi-process service.
Is AUTH support in postscreen really necessary? It seems to me that AUTH
is submission, that should be on 587, not 25, where one does not want
postscreen at all.
Perhaps we can encourage better hygiene, by not offering AUTH in
postscreen. People who want AUTH and postscreen, can migrate their AUTH
users to port 587? Or is this still too much to ask of potential Postfix
users?
--
Viktor.
