thr3ads.net - dovecot - How to use different SASL mechanisms for ssl connections [Oct 2015]

If this information is useful, please help other people find it:
Share via:

David Cigánek

2015-Oct-27 11:22 UTC

How to use different SASL mechanisms for ssl connections

Hi

I would like to set different SASL mechanisms for users trying to login 
(POP3/IMAP/Managesieve) on encrypted channel, than for those on 
unencrypted connection.

Specificaly:

For users on unencrypted channel, i need to allow login with CRAM-MD5 
(to improve security - I have users who require unencrypted connection 
but i cant let tem use PLAIN login, of course). But for users on 
TLS/STARTTLS, there is no need to encrypt the password and I want to 
store their passwords more securely - crypted with SHA512 - but that 
prohibits the usage of CRAM-MD5 for login in.

I know how to handle the passdb/userdb lookups but i need to prevent the 
POP3/IMAP server from announcing the CRAM-MD5 SASL method on encrypted 
channel. Because if the server announces the CRAM-MD5 method, MUAs will 
preffer to use that and for most users, this method is unsupported so 
they will get an error. Also some MUAs seems to change SASL method from 
PLAIN to CRAM-MD5 on their own (according to my logs - after enabling 
the CRAM-MD5, many MUAs started to login with that, even though they 
have logged in with LOGIN/PLAIN up until then).

I need the same that can be achieved in Posfix (for authenticated 
sending via SMTP) with those settings:

  smtpd_sasl_security_options = noanonymous, noplaintext
  smtpd_sasl_tls_security_options = noanonymous, nodictionary

Is there any way how to achieve this behavior in Dovecot?

I'm using Dovecot ver. 2.2.16 (from source) on Centos 7.


Since I have already done some research, i believe there is currently no 
way how to achieve this behavior. Now I'm looking at the source code here:

  src/login-common/sasl-server.c
  sasl_server_get_advertised_mechs()

and I think it shouldn't be too hard for me to implement a little ad-hoc 
change to get this working.

So I'd like to ask you if I'm on the righ way with that and if there is 
anyone out there who could help me with that, I would realy appreciate it.

Thank you very much.

David.

Maybe Matching Threads

Search for more possibly parallel threads

dovecot - Oct 2015 - How to use different SASL mechanisms for ssl connections

How to use different SASL mechanisms for ssl connections

Maybe Matching Threads

Wisdom of the Ancients