Steffen Nurpmeso: > I have no idea of the inner sensitivities of postfix, but i do not > understand where the problem lies. Why does postfix "wave > through" the SASL offering of EXTERNAL when it does not support > it? (I have no idea of SASL library interfaces.)
Short summary: Postfix does not implement a single iota of SASL AUTH support. Postfix simply propagates the names of mechanisms that the backend (Cyrus or Dovecot) claims to support, and Postfix proxies requests and responses between the remote SMTP client and the SASL backend. Postfix has no idea what SASL mechanisms are, including EXTERNAL. It just proxies stuff. If Dovecot claims to support SASL EXTERNAL but does not handle it, that that is a bit of a WTF. > Ie postfix is configured to check client certificates, why does > it not "simply" allow the same configuration setting that dovecot > supports, something like auth_ssl_username_from_cert=yes, then > requires that for case(EXTERNAL) nothing but an empty immediate > response is passed, then passed the user given in the certificate > to the dovecot process? Or do also allow a username, but ensure > the given one is identical to that specified in the certificate? Are you suggesting that we create new SASL protocol support in Postfix to handle the EXTERNAL protocol inside Postfix? There currently is no code in Postfix for any SASL mechanism at all. Wietse