dovecot - Aug 2020 - [EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.

Hello and good evening.

Sorry for responding so late, it is midsummer and i spend as much
time as possible on the outside (bicycle, mostly).  (Just one more
day, then 10 degrees colder!!)

I Cc: Wietse Venema, because i quote a message of him.
(this is "set quote-add-cc" here.)

Aki Tuomi wrote in
 <84881193.5398.1597934431687 at appsuite-dev-gw2.open-xchange.com>:

The dovecot mail archive removed your HTML message :)
(And given code like

   <div>
    &nbsp;
   </div>
   <div>
    &nbsp;
   </div>
   <div>
    Hello.
   </div>
   <div>
    &nbsp;
   </div>
   <div>
    I am not subscribed and new here, so first of all i want to thank
   </div>
   <div>
    you for dovecot. I personally do not use it in "production"
   </div>

it was right in doing so :-)

 ||On 20/08/2020 17:28 Steffen Nurpmeso <[1]steffen at sdaoden.eu[/1]>
wrote:
 ...
 ||What is really terrible with the current situation is that postfix 
 |
 ||announces the EXTERNAL, with Wietse Venema saying 

It seems he has read the dovecot documentation again in the
meantime, different to me :(, so i have to apologise for saying

 |[1], and it turned out that postfix seems incapable to do
 |something about it, because the dovecot auth protocol does not
 |offer the possibility to specify a valid-user-certificate-seen
 |flag as well as pass the username from the certificate. (Or even
 |pass the entire certificate as a base64 string, less postfix CA,
 |.. or whatever.)

because Wietse Venema now says

  Wietse Venema wrote in
   <4BXSTk189nzJrP3 at spike.porcupine.org>:
   ...
   |Steffen Nurpmeso:
   ...
   |> until SASL says it is done?!.  How could EXTERNAL ever work like
   |> that in a client/server->auth-server situation?
   |
   |There's a chicken and egg question in there somewhere.
   |
   |https://wiki1.dovecot.org/Authentication%20Protocol mentions
   |two attributes that might be relevant, and that Postfix can send:
   |
   |secured
   |    Remote user has secured transport to auth client] (eg. localhost, \
   |    SSL, TLS)
   |
   |valid-client-cert
   |    Remote user has presented a valid SSL certificate.
   |
   |But these are booleans. What protocol attribute would Postfix use
   |to pass certificate name information (and which name, as there
   |can be any number of them)?
   |
   | Wietse
   | Wietse
   --End of <4BXSTk189nzJrP3 at spike.porcupine.org>

I think i will spend some time tomorrow and try to do some
coding with postfix.  Let's see wether the immediate response of
EXTERNAL can work with dovecot's SASL, even in conjunction with
auth_ssl_username_from_cert=yes that is!
Otherwise i think what he says here.

 |You could try out dovecot submission service. It should work better \
 |with EXTERNAL.

For the internal test network this may really be an option.  But
for my web vm: ach, i am not an administrator, it is pain to get
used to all that.  In real life i use the DMA here, and external
mail goes via my MUA through ssh only:

  set mta=/usr/bin/ssh
  set mta-arguments='steffen at sdaoden.eu /usr/sbin/sendmail -t'
  set mta-argv0=ssh

That sendmail is postfix, then.  And there is such a tremendous
amount of noise in the logs of postfix and the lighttpd web server
that are available easily from the network, it is terrible.  Even
with very rigid firewall rules, and things like postfix's error
limits, junk command limit, record deadlines, timeouts, active
sleeping in restrictions ...  And for now i would not even know
whether dovecot has equivalents, nor how to apply this
correctly.  These are all very capable and highly configurable
applications.  dovecot for example, i track the source for
a couple of years, comes with
 568 files changed, 26488 insertions(+), 6969 deletions(-)
for my last update (v2.3.10.1 to v2.3.11.3).  This is a lot.

Thank you.
And Ciao! and good night from Germany,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
> 
>  
> Hello and good evening.
> 
> Sorry for responding so late, it is midsummer and i spend as much
> time as possible on the outside (bicycle, mostly).  (Just one more
> day, then 10 degrees colder!!)
> 
> I Cc: Wietse Venema, because i quote a message of him.
> (this is "set quote-add-cc" here.)
> 
> Aki Tuomi wrote in
>  <84881193.5398.1597934431687 at appsuite-dev-gw2.open-xchange.com>:
> 
> The dovecot mail archive removed your HTML message :)
> (And given code like
> 
>    <div>
>     &nbsp;
>    </div>
>    <div>
>     &nbsp;
>    </div>
>    <div>
>     Hello.
>    </div>
>    <div>
>     &nbsp;
>    </div>
>    <div>
>     I am not subscribed and new here, so first of all i want to thank
>    </div>
>    <div>
>     you for dovecot. I personally do not use it in "production"
>    </div>
> 
> it was right in doing so :-)
> 
>  ||On 20/08/2020 17:28 Steffen Nurpmeso <[1]steffen at
sdaoden.eu[/1]> wrote:
>  ...
>  ||What is really terrible with the current situation is that postfix 
>  |
>  ||announces the EXTERNAL, with Wietse Venema saying 
> 
> It seems he has read the dovecot documentation again in the
> meantime, different to me :(, so i have to apologise for saying
> 
>  |[1], and it turned out that postfix seems incapable to do
>  |something about it, because the dovecot auth protocol does not
>  |offer the possibility to specify a valid-user-certificate-seen
>  |flag as well as pass the username from the certificate. (Or even
>  |pass the entire certificate as a base64 string, less postfix CA,
>  |.. or whatever.)
> 
> because Wietse Venema now says
> 
>   Wietse Venema wrote in
>    <4BXSTk189nzJrP3 at spike.porcupine.org>:
>    ...
>    |Steffen Nurpmeso:
>    ...
>    |> until SASL says it is done?!.  How could EXTERNAL ever work like
>    |> that in a client/server->auth-server situation?
>    |
>    |There's a chicken and egg question in there somewhere.
>    |
>    |https://wiki1.dovecot.org/Authentication%20Protocol mentions
>    |two attributes that might be relevant, and that Postfix can send:
>    |
>    |secured
>    |    Remote user has secured transport to auth client] (eg. localhost, \
>    |    SSL, TLS)
>    |
>    |valid-client-cert
>    |    Remote user has presented a valid SSL certificate.
>    |
>    |But these are booleans. What protocol attribute would Postfix use
>    |to pass certificate name information (and which name, as there
>    |can be any number of them)?
>    |
>    | Wietse
>    | Wietse
>    --End of <4BXSTk189nzJrP3 at spike.porcupine.org>
> 
> I think i will spend some time tomorrow and try to do some
> coding with postfix.  Let's see wether the immediate response of
> EXTERNAL can work with dovecot's SASL, even in conjunction with
> auth_ssl_username_from_cert=yes that is!
> Otherwise i think what he says here.
> 
>  |You could try out dovecot submission service. It should work better \
>  |with EXTERNAL.
> 
> For the internal test network this may really be an option.  But
> for my web vm: ach, i am not an administrator, it is pain to get
> used to all that.  In real life i use the DMA here, and external
> mail goes via my MUA through ssh only:
> 
>   set mta=/usr/bin/ssh
>   set mta-arguments='steffen at sdaoden.eu /usr/sbin/sendmail -t'
>   set mta-argv0=ssh
> 
> That sendmail is postfix, then.  And there is such a tremendous
> amount of noise in the logs of postfix and the lighttpd web server
> that are available easily from the network, it is terrible.  Even
> with very rigid firewall rules, and things like postfix's error
> limits, junk command limit, record deadlines, timeouts, active
> sleeping in restrictions ...  And for now i would not even know
> whether dovecot has equivalents, nor how to apply this
> correctly.  These are all very capable and highly configurable
> applications.  dovecot for example, i track the source for
> a couple of years, comes with
>  568 files changed, 26488 insertions(+), 6969 deletions(-)
> for my last update (v2.3.10.1 to v2.3.11.3).  This is a lot.
> 
> Thank you.
> And Ciao! and good night from Germany,
> 
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
I was trying to suggest that you could try dovecot submission server. It might
work better with EXTERNAL authentication.

Aki

Aki Tuomi wrote in
 <1907575568.4364.1597984769802 at appsuite-dev-gw1.open-xchange.com>:
 |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
 ...
 |>   Wietse Venema wrote in
 |>    <4BXSTk189nzJrP3 at spike.porcupine.org>:
 |>    ...
 |>|Steffen Nurpmeso:
 |>    ...
 |>|> until SASL says it is done?!.  How could EXTERNAL ever work like
 |>|> that in a client/server->auth-server situation?
 ...
 |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions
 |>|two attributes that might be relevant, and that Postfix can send:
 |>|
 |>|secured
 |>|    Remote user has secured transport to auth client] (eg. localhost, \
 |>|    SSL, TLS)
 |>|
 |>|valid-client-cert
 |>|    Remote user has presented a valid SSL certificate.
 |>|
 |>|But these are booleans. What protocol attribute would Postfix use
 |>|to pass certificate name information (and which name, as there
 |>|can be any number of them)?
 ...
 |I was trying to suggest that you could try dovecot submission server. \
 |It might work better with EXTERNAL authentication.

Ok, thanks.  Yes, i just faked it for my tests, carrying over the
IMAP/POP3 communication.  (I use your output as a template and do
stuff like

        smtp_script smtp -Ssmtp-config=-all,starttls,externanon \
           -Stls-config-pairs=Certificate=client-pair.pem
        { smtp_ehlo && printf '\001
  STARTTLS
  \003
  220 2.0.0 Ready to start TLS
  ' &&
           smtp_ehlo 0 && printf '\001
  AUTH EXTERNAL   ' &&
           smtp_auth_ok && smtp_go; } |
           ../net-test -U -s .t.sh > "${MBOX}" 2>&1
        check auth-7 0 "${MBOX}" '4294967295 0'

you know.  Terrible this does not work for GSSAPI, i am about to
ask the MIT people to add two pseudo credentials, one which always
works and one which does not, so that automatic testing is
possible at all, and via unpriviledged account!)

But wouldn't this be an improvement, extending the protocol so
that it announces a fingerprint checksum digest, which then can be
used in return to report client certificate fingerprints to the
dovecot auth server?  Like that even client certificate
verification could be handled by dovecot auth, aka via SASL, and
administrators would have to take care for one user database only?

Other than that i say
Ciao from Germany!

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)