On 31 May 2016 at 17:21, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
>
> The Dovecot SASL backend has access to the client's IP address,
> but I don't know whether it sees that early enough to supply Postfix
> with a client-dependent mechanism list, nor whether Dovecot has the
> feature you're looking for.
The Cyrus backend also has access to the client's IP address - it
looks like it is possible to write a Cyrus plug-in that behaves
differently for different clients. However it seems Postfix does not
pass the client IP address through the SASL API so I think it is a
non-starter. From xsasl_cyrus_server.c (3.1.1):
#if SASL_VERSION_MAJOR >= 2 && defined(USE_SASL_IP_AUTH)
/*
* Get IP addresses of local and remote endpoints for SASL.
*/
#error "USE_SASL_IP_AUTH is not implemented"
#else
/*
* Don't give any IP address information to SASL. SASLv1 doesn't use it,
* and in SASLv2 this will disable any mechanisms that do.
*/
server_address = 0;
client_address = 0;
#endif
if ((sasl_status =
SASL_SERVER_NEW(args->service, var_myhostname,
args->user_realm ? args->user_realm : NO_AUTH_REALM,
server_address, client_address,
NO_SESSION_CALLBACKS, NO_SECURITY_LAYERS,
&sasl_conn)) != SASL_OK)
