David Cigánek
2015-Oct-27 11:22 UTC
How to use different SASL mechanisms for ssl connections
Hi I would like to set different SASL mechanisms for users trying to login (POP3/IMAP/Managesieve) on encrypted channel, than for those on unencrypted connection. Specificaly: For users on unencrypted channel, i need to allow login with CRAM-MD5 (to improve security - I have users who require unencrypted connection but i cant let tem use PLAIN login, of course). But for users on TLS/STARTTLS, there is no need to encrypt the password and I want to store their passwords more securely - crypted with SHA512 - but that prohibits the usage of CRAM-MD5 for login in. I know how to handle the passdb/userdb lookups but i need to prevent the POP3/IMAP server from announcing the CRAM-MD5 SASL method on encrypted channel. Because if the server announces the CRAM-MD5 method, MUAs will preffer to use that and for most users, this method is unsupported so they will get an error. Also some MUAs seems to change SASL method from PLAIN to CRAM-MD5 on their own (according to my logs - after enabling the CRAM-MD5, many MUAs started to login with that, even though they have logged in with LOGIN/PLAIN up until then). I need the same that can be achieved in Posfix (for authenticated sending via SMTP) with those settings: smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous, nodictionary Is there any way how to achieve this behavior in Dovecot? I'm using Dovecot ver. 2.2.16 (from source) on Centos 7. Since I have already done some research, i believe there is currently no way how to achieve this behavior. Now I'm looking at the source code here: src/login-common/sasl-server.c sasl_server_get_advertised_mechs() and I think it shouldn't be too hard for me to implement a little ad-hoc change to get this working. So I'd like to ask you if I'm on the righ way with that and if there is anyone out there who could help me with that, I would realy appreciate it. Thank you very much. David.