Steffen Nurpmeso
2020-Aug-21 14:56 UTC
[EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.
Aki Tuomi wrote in <1907575568.4364.1597984769802 at appsuite-dev-gw1.open-xchange.com>: |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu> wrote: ... |> Wietse Venema wrote in |> <4BXSTk189nzJrP3 at spike.porcupine.org>: |> ... |>|Steffen Nurpmeso: |> ... |>|> until SASL says it is done?!. How could EXTERNAL ever work like |>|> that in a client/server->auth-server situation? ... |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions |>|two attributes that might be relevant, and that Postfix can send: |>| |>|secured |>| Remote user has secured transport to auth client] (eg. localhost, \ |>| SSL, TLS) |>| |>|valid-client-cert |>| Remote user has presented a valid SSL certificate. |>| |>|But these are booleans. What protocol attribute would Postfix use |>|to pass certificate name information (and which name, as there |>|can be any number of them)? ... |I was trying to suggest that you could try dovecot submission server. \ |It might work better with EXTERNAL authentication. Ok, thanks. Yes, i just faked it for my tests, carrying over the IMAP/POP3 communication. (I use your output as a template and do stuff like smtp_script smtp -Ssmtp-config=-all,starttls,externanon \ -Stls-config-pairs=Certificate=client-pair.pem { smtp_ehlo && printf '\001 STARTTLS \003 220 2.0.0 Ready to start TLS ' && smtp_ehlo 0 && printf '\001 AUTH EXTERNAL ' && smtp_auth_ok && smtp_go; } | ../net-test -U -s .t.sh > "${MBOX}" 2>&1 check auth-7 0 "${MBOX}" '4294967295 0' you know. Terrible this does not work for GSSAPI, i am about to ask the MIT people to add two pseudo credentials, one which always works and one which does not, so that automatic testing is possible at all, and via unpriviledged account!) But wouldn't this be an improvement, extending the protocol so that it announces a fingerprint checksum digest, which then can be used in return to report client certificate fingerprints to the dovecot auth server? Like that even client certificate verification could be handled by dovecot auth, aka via SASL, and administrators would have to take care for one user database only? Other than that i say Ciao from Germany! --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Aki Tuomi
2020-Aug-21 15:15 UTC
[EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.
> On 21/08/2020 17:56 Steffen Nurpmeso <steffen at sdaoden.eu> wrote: > > > Aki Tuomi wrote in > <1907575568.4364.1597984769802 at appsuite-dev-gw1.open-xchange.com>: > |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu> wrote: > ... > |> Wietse Venema wrote in > |> <4BXSTk189nzJrP3 at spike.porcupine.org>: > |> ... > |>|Steffen Nurpmeso: > |> ... > |>|> until SASL says it is done?!. How could EXTERNAL ever work like > |>|> that in a client/server->auth-server situation? > ... > |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions > |>|two attributes that might be relevant, and that Postfix can send: > |>| > |>|secured > |>| Remote user has secured transport to auth client] (eg. localhost, \ > |>| SSL, TLS) > |>| > |>|valid-client-cert > |>| Remote user has presented a valid SSL certificate. > |>| > |>|But these are booleans. What protocol attribute would Postfix use > |>|to pass certificate name information (and which name, as there > |>|can be any number of them)? > ... > |I was trying to suggest that you could try dovecot submission server. \ > |It might work better with EXTERNAL authentication. > > Ok, thanks. Yes, i just faked it for my tests, carrying over the > IMAP/POP3 communication. (I use your output as a template and do > stuff like > > smtp_script smtp -Ssmtp-config=-all,starttls,externanon \ > -Stls-config-pairs=Certificate=client-pair.pem > { smtp_ehlo && printf '\001 > STARTTLS > \003 > 220 2.0.0 Ready to start TLS > ' && > smtp_ehlo 0 && printf '\001 > AUTH EXTERNAL > ' && > smtp_auth_ok && smtp_go; } | > ../net-test -U -s .t.sh > "${MBOX}" 2>&1 > check auth-7 0 "${MBOX}" '4294967295 0' > > you know. Terrible this does not work for GSSAPI, i am about to > ask the MIT people to add two pseudo credentials, one which always > works and one which does not, so that automatic testing is > possible at all, and via unpriviledged account!) > > But wouldn't this be an improvement, extending the protocol so > that it announces a fingerprint checksum digest, which then can be > used in return to report client certificate fingerprints to the > dovecot auth server? Like that even client certificate > verification could be handled by dovecot auth, aka via SASL, and > administrators would have to take care for one user database only? > > Other than that i say > Ciao from Germany! > > --steffen > | > |Der Kragenbaer, The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt)
Aki Tuomi
2020-Aug-21 15:16 UTC
[EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.
> On 21/08/2020 17:56 Steffen Nurpmeso <steffen at sdaoden.eu> wrote: > > > Aki Tuomi wrote in > <1907575568.4364.1597984769802 at appsuite-dev-gw1.open-xchange.com>: > |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu> wrote: > ... > |> Wietse Venema wrote in > |> <4BXSTk189nzJrP3 at spike.porcupine.org>: > |> ... > |>|Steffen Nurpmeso: > |> ... > |>|> until SASL says it is done?!. How could EXTERNAL ever work like > |>|> that in a client/server->auth-server situation? > ... > |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions > |>|two attributes that might be relevant, and that Postfix can send: > |>| > |>|secured > |>| Remote user has secured transport to auth client] (eg. localhost, \ > |>| SSL, TLS) > |>| > |>|valid-client-cert > |>| Remote user has presented a valid SSL certificate. > |>| > |>|But these are booleans. What protocol attribute would Postfix use > |>|to pass certificate name information (and which name, as there > |>|can be any number of them)? > ... > |I was trying to suggest that you could try dovecot submission server. \ > |It might work better with EXTERNAL authentication. > > Ok, thanks. Yes, i just faked it for my tests, carrying over the > IMAP/POP3 communication. (I use your output as a template and do > stuff like > > smtp_script smtp -Ssmtp-config=-all,starttls,externanon \ > -Stls-config-pairs=Certificate=client-pair.pem > { smtp_ehlo && printf '\001 > STARTTLS > \003 > 220 2.0.0 Ready to start TLS > ' && > smtp_ehlo 0 && printf '\001 > AUTH EXTERNAL > ' && > smtp_auth_ok && smtp_go; } | > ../net-test -U -s .t.sh > "${MBOX}" 2>&1 > check auth-7 0 "${MBOX}" '4294967295 0' > > you know. Terrible this does not work for GSSAPI, i am about to > ask the MIT people to add two pseudo credentials, one which always > works and one which does not, so that automatic testing is > possible at all, and via unpriviledged account!) > > But wouldn't this be an improvement, extending the protocol so > that it announces a fingerprint checksum digest, which then can be > used in return to report client certificate fingerprints to the > dovecot auth server? Like that even client certificate > verification could be handled by dovecot auth, aka via SASL, and > administrators would have to take care for one user database only? > > Other than that i say > Ciao from Germany! > > --steffen > | > |Der Kragenbaer, The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt)Sorry for duplicate mail, I accidentically pressed too many keys... *sigh* Anyways, I'm not sure if you understood my point, I ment, have you tried EXTERNAL auth with https://doc.dovecot.org/admin_manual/submission_server/ ? Aki
Michael Peddemors
2020-Aug-21 15:17 UTC
[EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.
Just another reminder.. https://github.com/dovecot/core/pull/86 This will allow plugins to make 'capability' advertisements more dynamic.. On 2020-08-21 7:56 a.m., Steffen Nurpmeso wrote:> Aki Tuomi wrote in > <1907575568.4364.1597984769802 at appsuite-dev-gw1.open-xchange.com>: > |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu> wrote: > ... > |> Wietse Venema wrote in > |> <4BXSTk189nzJrP3 at spike.porcupine.org>: > |> ... > |>|Steffen Nurpmeso: > |> ... > |>|> until SASL says it is done?!. How could EXTERNAL ever work like > |>|> that in a client/server->auth-server situation? > ... > |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions > |>|two attributes that might be relevant, and that Postfix can send: > |>| > |>|secured > |>| Remote user has secured transport to auth client] (eg. localhost, \ > |>| SSL, TLS) > |>| > |>|valid-client-cert > |>| Remote user has presented a valid SSL certificate. > |>| > |>|But these are booleans. What protocol attribute would Postfix use > |>|to pass certificate name information (and which name, as there > |>|can be any number of them)? > ... > |I was trying to suggest that you could try dovecot submission server. \ > |It might work better with EXTERNAL authentication. > > Ok, thanks. Yes, i just faked it for my tests, carrying over the > IMAP/POP3 communication. (I use your output as a template and do > stuff like > > smtp_script smtp -Ssmtp-config=-all,starttls,externanon \ > -Stls-config-pairs=Certificate=client-pair.pem > { smtp_ehlo && printf '\001 > STARTTLS > \003 > 220 2.0.0 Ready to start TLS > ' && > smtp_ehlo 0 && printf '\001 > AUTH EXTERNAL > ' && > smtp_auth_ok && smtp_go; } | > ../net-test -U -s .t.sh > "${MBOX}" 2>&1 > check auth-7 0 "${MBOX}" '4294967295 0' > > you know. Terrible this does not work for GSSAPI, i am about to > ask the MIT people to add two pseudo credentials, one which always > works and one which does not, so that automatic testing is > possible at all, and via unpriviledged account!) > > But wouldn't this be an improvement, extending the protocol so > that it announces a fingerprint checksum digest, which then can be > used in return to report client certificate fingerprints to the > dovecot auth server? Like that even client certificate > verification could be handled by dovecot auth, aka via SASL, and > administrators would have to take care for one user database only? > > Other than that i say > Ciao from Germany! > > --steffen > | > |Der Kragenbaer, The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt) >-- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Steffen Nurpmeso
2020-Aug-21 15:48 UTC
[EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.
(I removed Wietse Venema from Cc:.) Aki Tuomi wrote in <1972528099.4900.1598022980955 at appsuite-dev-gw1.open-xchange.com>: ... |Sorry for duplicate mail, I accidentically pressed too many keys... *sigh* Sure. |Anyways, I'm not sure if you understood my point, I ment, have you \ |tried EXTERNAL auth with https://doc.dovecot.org/admin_manual/submission\ |_server/ ? No, i never did. I had to look into this, i do not think this is applicable? LMTP? The dovecot submission server, ok, as a frontend for postfix, this is what you mean? No, i have not done this yet. Start postfix on a different local port as a submission_relay_host= target, then start dovecot submission on :25, :587 and :465. I will try this out, thanks for the suggestion. Ciao from Germany, --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)