Re: Sending SSL/TLS state to Dovecot auth

From: Timo Sirainen (no email)
Date: Mon Feb 23 2009 - 17:40:05 EST

  • Next message: Victor Duchovni: "Re: Sending SSL/TLS state to Dovecot auth"

     Mon, 2009-02-23 at 17:11 -0500, Wietse Venema wrote:
    > Timo Sirainen:
    > > On Mon, 2009-02-23 at 16:49 -0500, Wietse Venema wrote:
    > > > > It's basically the same thing as "disable plaintext authentication",
    > > > > except on a per-user (or per-domain, or per-source-IP-range) basis
    > > > > rather than globally. There are probably some other use cases that I've
    > > > > heard before but can't remember right now.
    > > >
    > > > The MTA gets the Dovecot mechanism list first, including PLAIN or
    > > > LOGIN. Then the MTA sends the user's login name and password and
    > > > the TLS session state, and then Dovecot says no you can't do that.
    > > >
    > > > What's the point?
    > >
    > > The same server may handle multiple different domains where some require
    > > that SSL/TLS is enabled for authentication to succeed, while for other
    > > domains it must be only optional. The server doesn't know if it requires
    > > SSL/TLS until it knows the SASL username.
    > The client has already sent the plaintext. What problem are you
    > trying to solve by having Dovecot say "no" when it is too late?

    It's too late for a few times (until user fixes the client
    configuration), but not forever (because it won't work until the
    configuration is fixed). Also with a laptop the initial setup is often
    done in a relatively safe location such as home or office, while the
    connections afterwards could be done in all kinds of insecure places.

  • Next message: Victor Duchovni: "Re: Sending SSL/TLS state to Dovecot auth"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD