Christian Roessner via Postfix-devel:
> >> Many decisions could happen directly while authenticating and not
> >> after it in the SMTP-protocol. If you do so later in MAIL FROM or
> >> RCPT TO, the attacker already knows that her probably got correct
> >> credentials. This is the main power of Nauthilus to early decide
> >> on metadata.
> >
> > Today, people would delegate this to a postfwd policy service that
> > receives all available sesssion state information: TLS protocol,
> > cipher, keysize; IP address and port (server and client); SASL
> > login, name, method; and more.
>
> Yes, policy delegation might be okay, but it lacks username and
> password. Either a service would run in smtpd_client/helo_restrictions
> or earliest possible stage would be smtpd_sender/recipient_restrictions.
> The authentication is in the middle of both and there for lacks
> full meta data. Am I right?
The policy delagation protocol provides the SASL login name and
some TLS session info. It does not have the SNI hostname or server
certificate details but that could be added.
You appear to be using the table lookup API and protocol, but that
provides only one property (for example, a host or domain name, IP
address, or an email address). For queries that involve multiple
properties, Postfix provides the SMTP policy delegation protocol.
Now, on the separation of policy and mechanism. Postfix very much
likes to separate policy from the mechanism. That is one reason for
having separate implementations for SASL authentication and for
the policy that determines what rights the user has.
1) Authentication mechanisms are implemented wiith Cyrus SASL and
Dovecot auth (they also implement other things that Postfix does
not use).
2) Policies for what rights a user has can be implemented after
logging in, for example with smtpd_sender_login_maps and
check_sasl_access built-ins, and with the existing policy
delegation protocol for external policies.
A policy delegation server can be implemented in any programming
language that can read multiple lines of text from a socket (it
does not even use netstring encapsulation) and that can respond
with one line of text.
Wietse
_______________________________________________
Postfix-devel mailing list -- postfix-devel@postfix.org
To unsubscribe send an email to postfix-devel-le...@postfix.org
