Hello, * Wietse Venema via Postfix-devel <wie...@porcupine.org>: > Christian R??ner via Postfix-devel: > > Hello, > > > > I wanted to ask you about an idea that came up in my mind. I am > > developing a central authentication server (https://nauthilus.org > > <https://nauthilus.org/>). It can be used everywhere (currently > > tested with Dovecot, FreeRADIUS, OpenVPN, GitLab and many other > > applications), where authentication is required (and it has a bunch > > of anti-attack features builtin like complex brute-force detection, > > block lists, RBLs, Lua-Hooks). The server talks HTTP REST (mainly > > HTTP header based or JSON). > > > > When I looked at a way to bind Postfix to this server (Submission), > > I only found some undocumented Cyrus-SASL plugin, which lacks > > IP-address support. In fact you only get the local part, the domain > > and the password. No other meta information is available (like IP, > > SSL infos, anything else that you can get from a client connect). > > A current workaround is to proxy Postfix behind Dovecot. Works, > > but this is a dependency to another service. > > > > My question is, if you see some possibility to add some HTTP REST > > to Postfix to talk to such an authentication server. > > > > Furthermore I thought about HTTP-support in tables as well to > > communicate with modern micro services and get information for > > i.e. relay-domains, -recipients, check_* etc... something like a > > http_table? My feeling is that HTTP as a general purpose interface > > would enhance Postfix. > > > > Maybe you have real good reasons to not do so, but I thought I > > could ask here for your feedback. What do you think about HTTP > > REST and as an enhancement for Postfix? Do think it is a good idea > > or not? > > I hope that you're talking about using the Postfix lookup table > mechanism (a simple interface to query indexed files, LDAP or SQL > databases, and special-purpose tables such as regexp:, pcre: and > cidr:) and adding support to talk to a REST server.
Christian's and my conversation was about adding a generic http lookup mechanism as we are under the impression that many services nowadays use HTTP as protocol to lookup information. A mechanism that is able to send more data (read: IP, envelope sender etc.) is already there - it's the Postfix Policy Protocol. I'd probably implement a Postfix Policy Protocol to REST client bridge if I'd wanted Postfix to communicate to a Policy Service that speaks REST. > If that is not the case, and instead the idea is to add a REST > client to talk to your service, then such code would not be reusable, > in addition to all the problems that come with parsing JSON in C, > and to a lesser extent, parsing HTTP(S)). > > Assuming that the idea is to use the Postfix lookup table mechanism > to plug in a REST client: > > The easiest way to add a REST query support to Postfix is to not > write Postfix code. Instead, write a small adapter and plug it into > an existing Postfix interface. > > For example, a local tcp_table(5) server or socketmap_table(5) > server that receives a query and that generates the necessasy JSON > and HTTP encapsulation, and vice versa for the response. > > https://www.postfix.org/tcp_table.5.html > https://www.postfix.org/socketmap_table.5.html ACK > I suppose that someone could implement a robust prototype in a few > hours time, and productize it in a couple of days. Python or Go > should be up top the job. Both have mature library support for > JSON and HTTP(S). > > Adding this as C code is unlikely to happen, not even as a donation. > Postfix has a strong reputation to lose. > > Note: the current tcp_table and socketmap_table implementations do > not authenticate the server, and therefore refuse to be used for > security-sensitive queries. So a little code may be needed to wrap > the communication over TLS. No biggie. > > Wietse > > > Maybe Patrick-Ben Koetter likes also to answer here, as I had a > > phone call earlier these days with him concerning this idea. And so I did and added my 2 ct. Best, p@rick -- Patrick Ben Koetter p...@state-of-mind.de _______________________________________________ Postfix-devel mailing list -- postfix-devel@postfix.org To unsubscribe send an email to postfix-devel-le...@postfix.org
