On Mon, Sep 08, 2014 at 03:28:01PM -0700, Quanah Gibson-Mount wrote:
--On Tuesday, September 09, 2014 12:49 AM +0400 Maxim Dounin email@example.com wrote:
We plan on adding SASL support to SMTP as well unless you guys have plan to do that already ?
Any nginx developers have any thoughts on this?
When talking to mail backends, nginx doesn't use SASL for authentication as it's believed to be superfluous to use it instead of native protocol commands in the non-hostile backend environment.
I'm not sure what you mean by this, can you expand please?
I mean: nginx uses "LOGIN" when talking to IMAP backends, "USER/PASS" when talking to POP3 backends, and I don't see reasons to use SASL mechanisms instead when talking to backends.
There is SASL support in nginx mail module though, and it happily authenticates users with PLAIN, LOGIN and CRAM-MD5 SASL mechanisms (as long as http_auth script used is able to handle this).
These are particularly limited SASL mechanisms. Ours adds support for linking to cyrus-sasl, for extended SASL mechanisms such as GSSAPI, SPNEGO, etc. If that's not of interest, that's fine, but it's generally much more useful security wise.
No, linking to cyrus-sasl isn't an option, thanks.