> On 21/08/2020 02:17 Steffen Nurpmeso <[email protected]> wrote: > > > Hello and good evening. > > Sorry for responding so late, it is midsummer and i spend as much > time as possible on the outside (bicycle, mostly). (Just one more > day, then 10 degrees colder!!) > > I Cc: Wietse Venema, because i quote a message of him. > (this is "set quote-add-cc" here.) > > Aki Tuomi wrote in > <[email protected]>: > > The dovecot mail archive removed your HTML message :) > (And given code like > > <div> > > </div> > <div> > > </div> > <div> > Hello. > </div> > <div> > > </div> > <div> > I am not subscribed and new here, so first of all i want to thank > </div> > <div> > you for dovecot. I personally do not use it in "production" > </div> > > it was right in doing so :-) > > ||On 20/08/2020 17:28 Steffen Nurpmeso <[1][email protected][/1]> wrote: > ... > ||What is really terrible with the current situation is that postfix > | > ||announces the EXTERNAL, with Wietse Venema saying > > It seems he has read the dovecot documentation again in the > meantime, different to me :(, so i have to apologise for saying > > |[1], and it turned out that postfix seems incapable to do > |something about it, because the dovecot auth protocol does not > |offer the possibility to specify a valid-user-certificate-seen > |flag as well as pass the username from the certificate. (Or even > |pass the entire certificate as a base64 string, less postfix CA, > |.. or whatever.) > > because Wietse Venema now says > > Wietse Venema wrote in > <[email protected]>: > ... > |Steffen Nurpmeso: > ... > |> until SASL says it is done?!. How could EXTERNAL ever work like > |> that in a client/server->auth-server situation? > | > |There's a chicken and egg question in there somewhere. > | > |https://wiki1.dovecot.org/Authentication%20Protocol mentions > |two attributes that might be relevant, and that Postfix can send: > | > |secured > | Remote user has secured transport to auth client] (eg. localhost, \ > | SSL, TLS) > | > |valid-client-cert > | Remote user has presented a valid SSL certificate. > | > |But these are booleans. What protocol attribute would Postfix use > |to pass certificate name information (and which name, as there > |can be any number of them)? > | > | Wietse > | Wietse > --End of <[email protected]> > > I think i will spend some time tomorrow and try to do some > coding with postfix. Let's see wether the immediate response of > EXTERNAL can work with dovecot's SASL, even in conjunction with > auth_ssl_username_from_cert=yes that is! > Otherwise i think what he says here. > > |You could try out dovecot submission service. It should work better \ > |with EXTERNAL. > > For the internal test network this may really be an option. But > for my web vm: ach, i am not an administrator, it is pain to get > used to all that. In real life i use the DMA here, and external > mail goes via my MUA through ssh only: > > set mta=/usr/bin/ssh > set mta-arguments='[email protected] /usr/sbin/sendmail -t' > set mta-argv0=ssh > > That sendmail is postfix, then. And there is such a tremendous > amount of noise in the logs of postfix and the lighttpd web server > that are available easily from the network, it is terrible. Even > with very rigid firewall rules, and things like postfix's error > limits, junk command limit, record deadlines, timeouts, active > sleeping in restrictions ... And for now i would not even know > whether dovecot has equivalents, nor how to apply this > correctly. These are all very capable and highly configurable > applications. dovecot for example, i track the source for > a couple of years, comes with > 568 files changed, 26488 insertions(+), 6969 deletions(-) > for my last update (v2.3.10.1 to v2.3.11.3). This is a lot. > > Thank you. > And Ciao! and good night from Germany, > > --steffen > | > |Der Kragenbaer, The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt)
I was trying to suggest that you could try dovecot submission server. It might work better with EXTERNAL authentication. Aki
