Viktor Dukhovni:
> On Sun, Aug 23, 2020 at 02:36:51AM +0200, Steffen Nurpmeso wrote:
>
> > However, short of time (it will be no sooner than six o'clock in
> > the morning until i will get home, sorry! Just in case anyone is
> > interested), i blindly added another cert_username=steffen to the
> > stuff in src/xsasl/xsasl_dovecot_server.c, and with that we will
> > get the job done!
>
> I think that there's a major semantic problem here. The code validating
> the certificate chain against some issuer(s) trusted to identify local
> users should also be the code that's mapping certificates to user names.
>
> It sounds like you have Postfix validating the certificate trust chain,
> but then Dovecot, doing the user mapping. Or if not, what role exactly
> is Dovecot playing in all this?
>
> You're posting code, but that seems premature. Can you instead post a
> description of the design? Perhaps moving the discussion to
> postfix-devel...
Annd if you must pass additional information to the Dovecot auth
server, the proper way is to extend the xsasl_server_create() API,
not adding ad-hoc arguments here and there to poke data through the
abstraction layers.
Wietse
