Detect port number of SASL AUTH request?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Detect port number of SASL AUTH request?

mrobti
Hi, this is partly Postfix related, but I want to know if there could be
way to distinguish port of the SASL AUTH request to segregate user
services.

Currently I use unix listener for dovecot sasl auth, but could change to
inet_listener.

Only way I can think is to have different SASL AUTH services for each
master.cf entry where its needed. But is it possible for Dovecot to have
more than one SASL AUTH services with different configuration setup? It
would be nicer if there was a way for Postfix to tell Dovecot about the
port the client connected on.

Or maybe it can be done with a SASL realm? I'm not sure how? Any help
please?
Reply | Threaded
Open this post in threaded view
|

Re: Detect port number of SASL AUTH request?

Stephan Bosch


Op 16-11-2017 om 2:07 schreef MRob:

> Hi, this is partly Postfix related, but I want to know if there could
> be way to distinguish port of the SASL AUTH request to segregate user
> services.
>
> Currently I use unix listener for dovecot sasl auth, but could change
> to inet_listener.
>
> Only way I can think is to have different SASL AUTH services for each
> master.cf entry where its needed. But is it possible for Dovecot to
> have more than one SASL AUTH services with different configuration
> setup? It would be nicer if there was a way for Postfix to tell
> Dovecot about the port the client connected on.
>
> Or maybe it can be done with a SASL realm? I'm not sure how? Any help
> please?

I am not sure I understand the question completely.

The Dovecot SASL auth protocol allows setting various auxiliary fields:

https://github.com/dovecot/core/blob/release-2.2.33/src/auth/auth-request.c#L370 
(Which, apparently, aren't all documented:
https://wiki2.dovecot.org/Design/AuthProtocol)

The service connection ports are among those fields. So, at least an
authentication client (e.g. Postfix) could pass the ip:port to Dovecot.
I don't know whether Postfix sets one of these port values at this time.

And even then, there's the question of whether the port value can be
used as a selector in some dynamic configuration. The local {...}
configuration sections can as far as I know only be used with IPs and
not with ports or IP:ports. Maybe you could do some magic in variable
substitutions, e.g. use it in the passdb/userdb database lookup.

Regards,

Stephan.