auth_policy in a non-authenticating proxy chain

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

auth_policy in a non-authenticating proxy chain

Peter Mogensen-4
Hi,

I was looking into the new Authentication Policy feature:
https://wiki2.dovecot.org/Authentication/Policy

I had kinda hoped that I would be able to enfore this in a proxy running
in front of several backends. This proxy does not authenticate. It use
"nopassword".


But I realize that the "succes" reported in the final authpolicy req.
(command=report) is not what is actaully happening on the IMAP protocol
level, but rather the result of the passdb chain in the proxy.
(I should probably have predicted this, it's kinda reasonable).

However... since the proxy use "nopassword", ALL passdb lookups result
in "success", so the proxy will never report an authentication failure
to the authpolicy server.

This, of course, forces me to do the authpolicy check on the backend
with a shared state, but It would still have been nice to have the proxy
being able to do the first "command=allow" req. and reject attemps
already there even though the backend does "command=report".

/Peter
Reply | Threaded
Open this post in threaded view
|

Re: auth_policy in a non-authenticating proxy chain

Sami Ketola

> On 14 Dec 2017, at 8.30, Peter Mogensen <[hidden email]> wrote:
> However... since the proxy use "nopassword", ALL passdb lookups result
> in "success", so the proxy will never report an authentication failure
> to the authpolicy server.


Why not authenticate the sessions at the proxy level already? Is there any
reason not to do that?

Sami

Reply | Threaded
Open this post in threaded view
|

Re: auth_policy in a non-authenticating proxy chain

Peter Mogensen-4


On 2017-12-14 10:31, Sami Ketola wrote:
>
>> On 14 Dec 2017, at 8.30, Peter Mogensen <[hidden email]> wrote:
>> However... since the proxy use "nopassword", ALL passdb lookups result
>> in "success", so the proxy will never report an authentication failure
>> to the authpolicy server.
>
>
> Why not authenticate the sessions at the proxy level already? Is there any
> reason not to do that?

Yes. Several.
This is not a new setup. It's an already well established setup and it's
unlikely that authentication can be moved to the proxy.

/Peter