On 20/08/2020 17:28 Steffen Nurpmeso <stef...@sdaoden.eu> wrote:Hello.I am not subscribed and new here, so first of all i want to thankyou for dovecot. I personally do not use it in "production"(yet), but it is my sole point of interaction for testing thelittle MUA i maintain for quite some years. I also have used itscode for affirmation purposes. (Interesting that OAUTHBEARERtreats hostname and port as optional. I currently doOAUTHBEARER.)So then i stumbled over GSSAPI not being usable anymore with thelatest release, but it seems there is an ML thread with a fix.I have not tried it, i reverted to the last release here, though.When i implemented EXTERNAL authentication last year i could notfigure out how to make postfix+dovecot-SASL work with it. Firstof all i had to switch configs back and forth, but in the meantimei learned a very nice trick: if i use two password databasespassdb {driver = passwd-filemechanisms = externalargs = /etc/dovecot/pass-external.dboverride_fields = nopassword}passdb {driver = passwd-fileargs = /etc/dovecot/pass.db}userdb {driver = passwd}which are effectively the same except that one does not havepasswords while the other has, i can use EXTERNAL (with andwithout additional user-via-protocol in combination withauth_ssl_username_from_cert=yes and it just works!Whereas EXTERNAL works just fine for IMAP and POP3 it does not forSMTP. Last year when i did it i saw a postfix ML thread inaction, so i have not looked further into that. Looking againwith things unchanged in the postfix 3.5 that they mentioned bythen i think, i now posted to the postfix list myself yesterday[1], and it turned out that postfix seems incapable to dosomething about it, because the dovecot auth protocol does notoffer the possibility to specify a valid-user-certificate-seenflag as well as pass the username from the certificate. (Or evenpass the entire certificate as a base64 string, less postfix CA,.. or whatever.)What is really terrible with the current situation is that postfixannounces the EXTERNAL, with Wietse Venema sayingShort summary: Postfix does not implement a single iota of SASLAUTH support. Postfix simply propagates the names of mechanismsthat the backend (Cyrus or Dovecot) claims to support, and Postfixproxies requests and responses between the remote SMTP client andthe SASL backend. Postfix has no idea what SASL mechanisms are,including EXTERNAL. It just proxies stuff.If Dovecot claims to support SASL EXTERNAL but does not handle it,that that is a bit of a WTF.It would be tremendous to have true EXTERNAL support all through,i personally really like EXTERNAL, i would rather have somepassword-protected crytographically secured certificates in mylocal store, and have client certificates in all the IoT devices,than have to mess around with the OAUTH that the major playerspress forward, for example.Thanks,and Ciao from Germany,--steffen||Der Kragenbaer, The moon bear,|der holt sich munter he cheerfully and one by one|einen nach dem anderen runter wa.ks himself off|(By Robert Gernhardt)
You could try out dovecot submission service. It should work better with EXTERNAL.
--- Aki Tuomi