On Wed, Dec 29, 2010 at 02:45:39PM -0500, Wietse Venema wrote:
> > So, unlike the TLS proxy, the AUTH proxy (as e.g. the Cyrus saslauthd
> > service) may need to be a forking multi-process service.
>
> As long as the postscreen side is event-driven, some latency in
> AUTH support is not a problem. AUTH can be a plain old multi-server
> like trivial-rewrite or proxymap, with the difference that the
> protocol may have intermediate steps between initial request and
> final response.
Do you want to proxy just the AUTH protocol bits, or hand off the
socket as with TLS? If we want to eventually implement support for SASL
security-layers (ssf > 0), AUTH becomes substantially like TLS, and the
AUTH proxy potentially decrypts the stream...
--
Viktor.
