Re: auth_policy in a non-authenticating proxy chain

2018-09-15 Thread Aki Tuomi
> On 15 September 2018 at 12:32 Peter Mogensen wrote: > > > > > On 09/15/2018 10:41 AM, Aki Tuomi wrote: > > Point of sending the success ones is to maintain whitelist as well as > > blacklist so you know which ones you should not tarpit anymore. We > > know it does scale as we have very lar

Re: auth_policy in a non-authenticating proxy chain

2018-09-15 Thread Peter Mogensen
On 09/15/2018 10:41 AM, Aki Tuomi wrote: > Point of sending the success ones is to maintain whitelist as well as > blacklist so you know which ones you should not tarpit anymore. We > know it does scale as we have very large deployments using the whole > three request per login model. > > "Succ

Re: auth_policy in a non-authenticating proxy chain

2018-09-15 Thread Aki Tuomi
From: Peter Mogensen Date: 15/09/2018 11:25 (GMT+02:00) To: Dovecot Mailing List Subject: Re: auth_policy in a non-authenticating proxy chain Hi ... After the below thread, I wrote a patch to select on a node-by-node basis which auth-policy request should be done from that node. To my

Re: auth_policy in a non-authenticating proxy chain

2018-09-15 Thread Peter Mogensen
Hi ... After the below thread, I wrote a patch to select on a node-by-node basis which auth-policy request should be done from that node. To my surprise the exact same functionality then turned up in 2.2.34 with just slightly different option names:* * *auth_policy_check_before_auth*: Whether to

Re: auth_policy in a non-authenticating proxy chain

2017-12-14 Thread Peter Mogensen
On 2017-12-14 10:31, Sami Ketola wrote: > >> On 14 Dec 2017, at 8.30, Peter Mogensen wrote: >> However... since the proxy use "nopassword", ALL passdb lookups result >> in "success", so the proxy will never report an authentication failure >> to the authpolicy server. > > > Why not authentica

Re: auth_policy in a non-authenticating proxy chain

2017-12-14 Thread Sami Ketola
> On 14 Dec 2017, at 8.30, Peter Mogensen wrote: > However... since the proxy use "nopassword", ALL passdb lookups result > in "success", so the proxy will never report an authentication failure > to the authpolicy server. Why not authenticate the sessions at the proxy level already? Is there a

auth_policy in a non-authenticating proxy chain

2017-12-13 Thread Peter Mogensen
Hi, I was looking into the new Authentication Policy feature: https://wiki2.dovecot.org/Authentication/Policy I had kinda hoped that I would be able to enfore this in a proxy running in front of several backends. This proxy does not authenticate. It use "nopassword". But I realize that the "suc