On 4/27/22 18:36, Viktor Dukhovni wrote:
On 27 Apr 2022, at 12:27 pm, Michael Ströder <mich...@stroeder.com> wrote:
one way to authenticate may be using Kerberos.
Not recommended for roaming users accessing submission service via public
Internet.
Suitability depends on the user base, ... my personal mail server
indeed supports SASL GSSAPI submission. There are no users with
weak passwords.
Strictly speaking you would have to say SASL GSSAPI with Kerberos 5
because...
Note also that in principle GSSAPI can support all sorts of novel
authentication mechanisms,
...you're of course right that GSSAPI is also a generic layer.
The layering of SASL over GSSAPI is somewhat redundant,
Agreed.
But my concern is rather that I would not connect my KDC to the Internet
(for now leaving aside approaches like proxy KCM).
In general I'm leaning more towards using asymmetric keys for authc. On
my personal to-do list is to implement a simple X.509-CA for issuing
short-term client certs, with a CLI tool to directly manipulate
Thunderbird and Firefox key/cert DB.
Ciao, Michael.
