dovecot - Sep 2018 - auth_policy in a non-authenticating proxy chain

On 09/15/2018 10:41 AM, Aki Tuomi wrote:
> Point of sending the success ones is to maintain whitelist as well as
> blacklist so you know which ones you should not tarpit anymore. We
> know it does scale as we have very large deployments using the whole
> three request per login model.
>
>
"Success" in a proxy which is not it self authenticating is only
whether
it know where to proxy the requested username to.
I'm not sure whether this would be input to a whitelist.

I'm not doubting that 3 req/login scales.

/Peter

> On 15 September 2018 at 12:32 Peter Mogensen <apm at one.com> wrote:
> 
> 
> 
> 
> On 09/15/2018 10:41 AM, Aki Tuomi wrote:
> > Point of sending the success ones is to maintain whitelist as well as
> > blacklist so you know which ones you should not tarpit anymore. We
> > know it does scale as we have very large deployments using the whole
> > three request per login model.
> >
> >
> 
> "Success" in a proxy which is not it self authenticating is only
whether
> it know where to proxy the requested username to.
> I'm not sure whether this would be input to a whitelist.
> 
> I'm not doubting that 3 req/login scales.
> 
> /Peter
>
This is rather uncommon use-case. Most cases authentication occurs on proxy and
is forwarded using, say, master password on to the backend.

Aki