Re: [Fwd: Re: Fwd: Re: postfix, dovecot auth and rip/lip]

From: Nate (no email)
Date: Tue Feb 10 2009 - 19:22:34 EST

  • Next message: Noel Jones: "Re: Whitelist assistance with"

    At 03:53 PM 3/18/2008, you wrote:
    >Wietse Venema wrote:
    > > There is no reason why this can't be implemented, but I want to
    > > avoid chaos in Postfix. So I don't want to keep adding more and
    > > more ad-hoc parameters to the Postfix-to-SASL library interface.
    > >
    > > This interface is also used by Cyrus SASL and may be used for other
    > > non-Cyrus implementations later. Changes to this API should be
    > > carefully designed.
    > > I understand. It's have to wait unless it can really be necessary for
    > > more users and could be part of 'official' API.
    > > I wrote about it as "for not near future" wish. As for 'some day'.
    >In the case of the Postfix TLS library we ran into a similar problem,
    >when APIs kept growing with more and more function call parameters.
    >To maintain some level of elegance I introduced function calls with
    >named parameters:
    > TLS_SERVER_START(...stuff...,
    > ctx = smtpd_tls_ctx,
    > stream = state->client,
    > log_level = var_smtpd_tls_loglevel,
    > timeout = var_smtpd_starttls_tmout,
    > ...more stuff...);
    >C does not have named parameter lists, but they can be emulated
    >with a little bit of C preprocessor fu. This looks like a usable
    >approach for extending the Postfix-to-SASL library interface.
    >Another approach is using a call-back function that queries Postfix
    >for specific information. This is the approach taken with the
    >Postfix Milter client, but it is probably over-kill for SASL.
    > Wietse

    I'll throw my request in for this feature to be prioritized. We're
    using SMTP AUTH in postfix, querying the dovecot auth socket which
    works well; however, in our virtual hosted environment it requires
    that customers login with their full email address. Great in
    practice, but impractical when a hosting account moves over and has
    300, or 3000 subscribers all using username only authentication. In
    that case, with dovecot currently the query is written to compare
    full email (if exists to the database) and if not, it compares the
    local_ip value of the connection to the database to do a domain match
    so the full domain is not required and then concatenates the domain
    which was just looked up by local_ip to the username for a full match.

    As the dovecot auth socket does not receive the local_ip information
    from postfix currently, this is not an option. It would help us out
    a lot if this feature were in there.

    I noticed somebody wrote a patch for postfix-2.3.8. I'm not a C
    programmer myself, so I'm not sure of it's quality or if this code
    could be used or committed to the postfix source tree. Found at

    - Nathan

  • Next message: Noel Jones: "Re: Whitelist assistance with"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD