SASL support for mail proxy in NGINX

Quanah Gibson-Mount quanah at zimbra.com
Tue Sep 9 16:53:42 UTC 2014 

--On Tuesday, September 09, 2014 6:59 AM +0400 Maxim Dounin 
<mdounin at mdounin.ru> wrote:

> Hello!
>
> On Mon, Sep 08, 2014 at 03:28:01PM -0700, Quanah Gibson-Mount wrote:
>
>> --On Tuesday, September 09, 2014 12:49 AM +0400 Maxim Dounin
>> <mdounin at mdounin.ru> wrote:
>>
>> >>> We plan on adding SASL support to SMTP as well unless you guys have
>> >>> plan to do that already ?
>> >>
>> >> Any nginx developers have any thoughts on this?
>> >
>> > When talking to mail backends, nginx doesn't use SASL for
>> > authentication as it's believed to be superfluous to use it
>> > instead of native protocol commands in the non-hostile backend
>> > environment.
>>
>> I'm not sure what you mean by this, can you expand please?
>
> I mean: nginx uses "LOGIN" when talking to IMAP backends,
> "USER/PASS" when talking to POP3 backends, and I don't see reasons
> to use SASL mechanisms instead when talking to backends.

If this were 1993, I might understand this.  However, using SASL as an 
authentication mechanism has been standarized for a few decades now, and is 
part of all the major MTAs and IMAP, POP, etc servers.  It is also all 
quite standardized:

<https://www.ietf.org/rfc/rfc1731.txt>
<https://www.ietf.org/rfc/rfc2554.txt>

<http://www.sendmail.org/~ca/email/auth.html>
<http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_cyrussasl_authenticator.html>
<http://www.postfix.org/SASL_README.html>
<https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html>

<http://www.cyrusimap.org/docs/cyrus-imapd/2.4.8/install-auth.php>

etc.

>> > There is SASL support in nginx mail module though, and it happily
>> > authenticates users with PLAIN, LOGIN and CRAM-MD5 SASL mechanisms
>> > (as long as http_auth script used is able to handle this).
>>
>> These are particularly limited SASL mechanisms.  Ours adds support for
>> linking to cyrus-sasl, for extended SASL mechanisms such as GSSAPI,
>> SPNEGO, etc.  If that's not of interest, that's fine, but it's generally
>> much more useful security wise.
>
> No, linking to cyrus-sasl isn't an option, thanks.

The linking is entirely optional, but allows those who are concerned with 
actual security to enable secure mechanisms for communicating via SMTP, 
POP, IMAP, etc.

By ignoring modern SASL mechanisms (i.e., post 1993), you're eliminating 
wide swathes of the world from using nginx, particularly government, 
military, and educational institutions, which often have tight requirements 
for secure authentication mechansisms such as Kerberos5 (SASL/GSSAPI).

I would hope that increasing the security of nginx was actually a priority 
to the developers.

--Quanah

--

Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

More information about the nginx-devel mailing list