Hello. I am new to this list, and only come here to continue on this old thread. I have restored it from
X-MARC-Message: https://marc.info/?l=postfix-users&m=155674111415072 so message-id etc. may not truly be correct, i apologise for that. And also, first, thank you for postfix, i use it for quite some years for my small private use cases, and it is working just fine! I have problems to deal with EXTERNAL authentification in conjunction with postfix, too. And whereas i personally like EXTERNAL very much, because i think that "client certificates everywhere" would be a good thing also for the IoT, so to say, my personal interest for now lies solely in proper (testing) support of the small MUA i maintain, for the EXTERNAL authentification. I have no idea of the inner sensitivities of postfix, but i do not understand where the problem lies. Why does postfix "wave through" the SASL offering of EXTERNAL when it does not support it? (I have no idea of SASL library interfaces.) If postfix is configured to check client certificates, why does it not "simply" allow the same configuration setting that dovecot supports, something like auth_ssl_username_from_cert=yes, then requires that for case(EXTERNAL) nothing but an empty immediate response is passed, then passed the user given in the certificate to the dovecot process? Or do also allow a username, but ensure the given one is identical to that specified in the certificate? My explanation last year (when in implemented EXTERNAL authentification for my MUA) was that due to the many-process approach of postfix the relevant information is not available? But today, "running against this problem" again, i can hardly believe that the I/O is decoupled so extensively. Having said all that, i simply assume that SASL takes only a user name and a password, hm. Aug 19 18:36:11 arch-2020 postfix/smtpd[4684]: connect from _gateway[10.0.0.1] Aug 19 18:36:11 arch-2020 dovecot[3229]: auth: Debug: client in: AUTH 2 EXTERNAL service=smtp nologin lip=10.0.1.11 rip=10.0.0.1 secured resp=<hidden> Aug 19 18:36:11 arch-2020 dovecot[3229]: auth: external(?,10.0.0.1): username not known Aug 19 18:36:11 arch-2020 dovecot[3229]: auth: Debug: auth(?,10.0.0.1): Auth request finished Aug 19 18:36:13 arch-2020 postfix/smtpd[4684]: warning: _gateway[10.0.0.1]: SASL EXTERNAL authentication failed: Aug 19 18:36:13 arch-2020 dovecot[3229]: auth: Debug: client passdb out: FAIL 2 Aug 19 18:36:13 arch-2020 postfix/smtpd[4684]: 0E5B240511: client=_gateway[10.0.0.1] When i use EXTERNAL for IMAP and POP3, directly via dovecot that is, then i see a cert_username= as well as valid-client-cert passing by in the log. Like i said, i have never looked behind these scenes of SASL, dovecot auth and postfix source code. Another thing i do not understand is that _when_ i do have permit_tls_clientcerts, and the client certificate matches, that AUTHs are still announced and required. (However, if i turn off smtpd_sasl_auth_enable=yes then not, ... of course.) Whereas it does not help me and my EXTERNAL support, i think it would be sensible to offer such a configuration possibility? Thanks in advance, and Ciao and good night from Germany, --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
