Op 16-11-2017 om 2:07 schreef MRob:
Hi, this is partly Postfix related, but I want to know if there could
be way to distinguish port of the SASL AUTH request to segregate user
services.
Currently I use unix listener for dovecot sasl auth, but could change
to inet_listener.
Only way I can think is to have different SASL AUTH services for each
master.cf entry where its needed. But is it possible for Dovecot to
have more than one SASL AUTH services with different configuration
setup? It would be nicer if there was a way for Postfix to tell
Dovecot about the port the client connected on.
Or maybe it can be done with a SASL realm? I'm not sure how? Any help
please?
I am not sure I understand the question completely.
The Dovecot SASL auth protocol allows setting various auxiliary fields:
https://github.com/dovecot/core/blob/release-2.2.33/src/auth/auth-request.c#L370
(Which, apparently, aren't all documented:
https://wiki2.dovecot.org/Design/AuthProtocol)
The service connection ports are among those fields. So, at least an
authentication client (e.g. Postfix) could pass the ip:port to Dovecot.
I don't know whether Postfix sets one of these port values at this time.
And even then, there's the question of whether the port value can be
used as a selector in some dynamic configuration. The local {...}
configuration sections can as far as I know only be used with IPs and
not with ports or IP:ports. Maybe you could do some magic in variable
substitutions, e.g. use it in the passdb/userdb database lookup.
Regards,
Stephan.
