dovecot - Aug 2020 - [EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.

Aki Tuomi wrote in
 <1907575568.4364.1597984769802 at appsuite-dev-gw1.open-xchange.com>:
 |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
 ...
 |>   Wietse Venema wrote in
 |>    <4BXSTk189nzJrP3 at spike.porcupine.org>:
 |>    ...
 |>|Steffen Nurpmeso:
 |>    ...
 |>|> until SASL says it is done?!.  How could EXTERNAL ever work like
 |>|> that in a client/server->auth-server situation?
 ...
 |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions
 |>|two attributes that might be relevant, and that Postfix can send:
 |>|
 |>|secured
 |>|    Remote user has secured transport to auth client] (eg. localhost, \
 |>|    SSL, TLS)
 |>|
 |>|valid-client-cert
 |>|    Remote user has presented a valid SSL certificate.
 |>|
 |>|But these are booleans. What protocol attribute would Postfix use
 |>|to pass certificate name information (and which name, as there
 |>|can be any number of them)?
 ...
 |I was trying to suggest that you could try dovecot submission server. \
 |It might work better with EXTERNAL authentication.

Ok, thanks.  Yes, i just faked it for my tests, carrying over the
IMAP/POP3 communication.  (I use your output as a template and do
stuff like

        smtp_script smtp -Ssmtp-config=-all,starttls,externanon \
           -Stls-config-pairs=Certificate=client-pair.pem
        { smtp_ehlo && printf '\001
  STARTTLS
  \003
  220 2.0.0 Ready to start TLS
  ' &&
           smtp_ehlo 0 && printf '\001
  AUTH EXTERNAL   ' &&
           smtp_auth_ok && smtp_go; } |
           ../net-test -U -s .t.sh > "${MBOX}" 2>&1
        check auth-7 0 "${MBOX}" '4294967295 0'

you know.  Terrible this does not work for GSSAPI, i am about to
ask the MIT people to add two pseudo credentials, one which always
works and one which does not, so that automatic testing is
possible at all, and via unpriviledged account!)

But wouldn't this be an improvement, extending the protocol so
that it announces a fingerprint checksum digest, which then can be
used in return to report client certificate fingerprints to the
dovecot auth server?  Like that even client certificate
verification could be handled by dovecot auth, aka via SASL, and
administrators would have to take care for one user database only?

Other than that i say
Ciao from Germany!

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

> On 21/08/2020 17:56 Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
> 
>  
> Aki Tuomi wrote in
>  <1907575568.4364.1597984769802 at
appsuite-dev-gw1.open-xchange.com>:
>  |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu>
wrote:
>  ...
>  |>   Wietse Venema wrote in
>  |>    <4BXSTk189nzJrP3 at spike.porcupine.org>:
>  |>    ...
>  |>|Steffen Nurpmeso:
>  |>    ...
>  |>|> until SASL says it is done?!.  How could EXTERNAL ever work
like
>  |>|> that in a client/server->auth-server situation?
>  ...
>  |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions
>  |>|two attributes that might be relevant, and that Postfix can send:
>  |>|
>  |>|secured
>  |>|    Remote user has secured transport to auth client] (eg.
localhost, \
>  |>|    SSL, TLS)
>  |>|
>  |>|valid-client-cert
>  |>|    Remote user has presented a valid SSL certificate.
>  |>|
>  |>|But these are booleans. What protocol attribute would Postfix use
>  |>|to pass certificate name information (and which name, as there
>  |>|can be any number of them)?
>  ...
>  |I was trying to suggest that you could try dovecot submission server. \
>  |It might work better with EXTERNAL authentication.
> 
> Ok, thanks.  Yes, i just faked it for my tests, carrying over the
> IMAP/POP3 communication.  (I use your output as a template and do
> stuff like
> 
>         smtp_script smtp -Ssmtp-config=-all,starttls,externanon \
>            -Stls-config-pairs=Certificate=client-pair.pem
>         { smtp_ehlo && printf '\001
>   STARTTLS
>   \003
>   220 2.0.0 Ready to start TLS
>   ' &&
>            smtp_ehlo 0 && printf '\001
>   AUTH EXTERNAL >   ' &&
>            smtp_auth_ok && smtp_go; } |
>            ../net-test -U -s .t.sh > "${MBOX}" 2>&1
>         check auth-7 0 "${MBOX}" '4294967295 0'
> 
> you know.  Terrible this does not work for GSSAPI, i am about to
> ask the MIT people to add two pseudo credentials, one which always
> works and one which does not, so that automatic testing is
> possible at all, and via unpriviledged account!)
> 
> But wouldn't this be an improvement, extending the protocol so
> that it announces a fingerprint checksum digest, which then can be
> used in return to report client certificate fingerprints to the
> dovecot auth server?  Like that even client certificate
> verification could be handled by dovecot auth, aka via SASL, and
> administrators would have to take care for one user database only?
> 
> Other than that i say
> Ciao from Germany!
> 
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)

> On 21/08/2020 17:56 Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
> 
>  
> Aki Tuomi wrote in
>  <1907575568.4364.1597984769802 at
appsuite-dev-gw1.open-xchange.com>:
>  |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu>
wrote:
>  ...
>  |>   Wietse Venema wrote in
>  |>    <4BXSTk189nzJrP3 at spike.porcupine.org>:
>  |>    ...
>  |>|Steffen Nurpmeso:
>  |>    ...
>  |>|> until SASL says it is done?!.  How could EXTERNAL ever work
like
>  |>|> that in a client/server->auth-server situation?
>  ...
>  |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions
>  |>|two attributes that might be relevant, and that Postfix can send:
>  |>|
>  |>|secured
>  |>|    Remote user has secured transport to auth client] (eg.
localhost, \
>  |>|    SSL, TLS)
>  |>|
>  |>|valid-client-cert
>  |>|    Remote user has presented a valid SSL certificate.
>  |>|
>  |>|But these are booleans. What protocol attribute would Postfix use
>  |>|to pass certificate name information (and which name, as there
>  |>|can be any number of them)?
>  ...
>  |I was trying to suggest that you could try dovecot submission server. \
>  |It might work better with EXTERNAL authentication.
> 
> Ok, thanks.  Yes, i just faked it for my tests, carrying over the
> IMAP/POP3 communication.  (I use your output as a template and do
> stuff like
> 
>         smtp_script smtp -Ssmtp-config=-all,starttls,externanon \
>            -Stls-config-pairs=Certificate=client-pair.pem
>         { smtp_ehlo && printf '\001
>   STARTTLS
>   \003
>   220 2.0.0 Ready to start TLS
>   ' &&
>            smtp_ehlo 0 && printf '\001
>   AUTH EXTERNAL >   ' &&
>            smtp_auth_ok && smtp_go; } |
>            ../net-test -U -s .t.sh > "${MBOX}" 2>&1
>         check auth-7 0 "${MBOX}" '4294967295 0'
> 
> you know.  Terrible this does not work for GSSAPI, i am about to
> ask the MIT people to add two pseudo credentials, one which always
> works and one which does not, so that automatic testing is
> possible at all, and via unpriviledged account!)
> 
> But wouldn't this be an improvement, extending the protocol so
> that it announces a fingerprint checksum digest, which then can be
> used in return to report client certificate fingerprints to the
> dovecot auth server?  Like that even client certificate
> verification could be handled by dovecot auth, aka via SASL, and
> administrators would have to take care for one user database only?
> 
> Other than that i say
> Ciao from Germany!
> 
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
Sorry for duplicate mail, I accidentically pressed too many keys... *sigh*

Anyways, I'm not sure if you understood my point, I ment, have you tried
EXTERNAL auth with https://doc.dovecot.org/admin_manual/submission_server/ ?

Aki

Just another reminder..

https://github.com/dovecot/core/pull/86

This will allow plugins to make 'capability' advertisements more
dynamic..

On 2020-08-21 7:56 a.m., Steffen Nurpmeso wrote:
> Aki Tuomi wrote in
>   <1907575568.4364.1597984769802 at
appsuite-dev-gw1.open-xchange.com>:
>   |> On 21/08/2020 02:17 Steffen Nurpmeso <steffen at sdaoden.eu>
wrote:
>   ...
>   |>   Wietse Venema wrote in
>   |>    <4BXSTk189nzJrP3 at spike.porcupine.org>:
>   |>    ...
>   |>|Steffen Nurpmeso:
>   |>    ...
>   |>|> until SASL says it is done?!.  How could EXTERNAL ever work
like
>   |>|> that in a client/server->auth-server situation?
>   ...
>   |>|https://wiki1.dovecot.org/Authentication%20Protocol mentions
>   |>|two attributes that might be relevant, and that Postfix can send:
>   |>|
>   |>|secured
>   |>|    Remote user has secured transport to auth client] (eg.
localhost, \
>   |>|    SSL, TLS)
>   |>|
>   |>|valid-client-cert
>   |>|    Remote user has presented a valid SSL certificate.
>   |>|
>   |>|But these are booleans. What protocol attribute would Postfix use
>   |>|to pass certificate name information (and which name, as there
>   |>|can be any number of them)?
>   ...
>   |I was trying to suggest that you could try dovecot submission server. \
>   |It might work better with EXTERNAL authentication.
> 
> Ok, thanks.  Yes, i just faked it for my tests, carrying over the
> IMAP/POP3 communication.  (I use your output as a template and do
> stuff like
> 
>          smtp_script smtp -Ssmtp-config=-all,starttls,externanon \
>             -Stls-config-pairs=Certificate=client-pair.pem
>          { smtp_ehlo && printf '\001
>    STARTTLS
>    \003
>    220 2.0.0 Ready to start TLS
>    ' &&
>             smtp_ehlo 0 && printf '\001
>    AUTH EXTERNAL >    ' &&
>             smtp_auth_ok && smtp_go; } |
>             ../net-test -U -s .t.sh > "${MBOX}" 2>&1
>          check auth-7 0 "${MBOX}" '4294967295 0'
> 
> you know.  Terrible this does not work for GSSAPI, i am about to
> ask the MIT people to add two pseudo credentials, one which always
> works and one which does not, so that automatic testing is
> possible at all, and via unpriviledged account!)
> 
> But wouldn't this be an improvement, extending the protocol so
> that it announces a fingerprint checksum digest, which then can be
> used in return to report client certificate fingerprints to the
> dovecot auth server?  Like that even client certificate
> verification could be handled by dovecot auth, aka via SASL, and
> administrators would have to take care for one user database only?
> 
> Other than that i say
> Ciao from Germany!
> 
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
> 


-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices
Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

(I removed Wietse Venema from Cc:.)

Aki Tuomi wrote in
 <1972528099.4900.1598022980955 at appsuite-dev-gw1.open-xchange.com>:
  ...
 |Sorry for duplicate mail, I accidentically pressed too many keys... *sigh*

Sure.

 |Anyways, I'm not sure if you understood my point, I ment, have you \
 |tried EXTERNAL auth with https://doc.dovecot.org/admin_manual/submission\
 |_server/ ?

No, i never did.  I had to look into this, i do not think this is
applicable?  LMTP?  The dovecot submission server, ok, as
a frontend for postfix, this is what you mean?  No, i have not
done this yet.  Start postfix on a different local port as
a submission_relay_host= target, then start dovecot submission on
:25, :587 and :465.  I will try this out, thanks for the
suggestion.

Ciao from Germany,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)