Hi all! I have been using GSSAPI authentication method for all my externally reachable endpoints for some time under the theory that they cannot be hit with a dictionary attack. Unfortunately, this means iOS devices cannot log in since they (oddly) cannot use GSSAPI. I say ?oddly? because desktop Mac mail can use GSSAPI just fine and https://samuelyates.wordpress.com/2013/10/11/kerberos-single-sign-on-in-ios-7/ goes through how to set it up for web pages. In any event, what I?m looking to do is use a filter (https://wiki.dovecot.org/ConfigFile#Filters) around the auth_mechanisms such that it will allow plain authentication when the client is on a local network or the VPN. Unfortunately, the fine print on filters says "These filters work for most of the settings, but most importantly auth settings currently only support the protocol filter?. I guess it?s kind of academic, but I thought I?d ask why this is a limitation? If there is not a profound security reason to not support this, is this a good enough use case to consider it? Thanks! Brian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: <https://dovecot.org/pipermail/dovecot/attachments/20180214/d43c9184/attachment.sig>
On 14.02.2018 20:39, Brian Topping wrote:> Hi all! > > I have been using GSSAPI authentication method for all my externally reachable endpoints for some time under the theory that they cannot be hit with a dictionary attack. Unfortunately, this means iOS devices cannot log in since they (oddly) cannot use GSSAPI. I say ?oddly? because desktop Mac mail can use GSSAPI just fine and https://samuelyates.wordpress.com/2013/10/11/kerberos-single-sign-on-in-ios-7/ goes through how to set it up for web pages. > > In any event, what I?m looking to do is use a filter (https://wiki.dovecot.org/ConfigFile#Filters) around the auth_mechanisms such that it will allow plain authentication when the client is on a local network or the VPN. Unfortunately, the fine print on filters says "These filters work for most of the settings, but most importantly auth settings currently only support the protocol filter?. > > I guess it?s kind of academic, but I thought I?d ask why this is a limitation? If there is not a profound security reason to not support this, is this a good enough use case to consider it? > > Thanks! BrianHi Brian, you can return allo_nets in your passdb to limit which networks the passdb is valid for. See https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets Aki