--On Tuesday, September 09, 2014 6:59 AM +0400 Maxim Dounin firstname.lastname@example.org wrote:
On Mon, Sep 08, 2014 at 03:28:01PM -0700, Quanah Gibson-Mount wrote:
--On Tuesday, September 09, 2014 12:49 AM +0400 Maxim Dounin email@example.com wrote:
We plan on adding SASL support to SMTP as well unless you guys have plan to do that already ?
Any nginx developers have any thoughts on this?
When talking to mail backends, nginx doesn't use SASL for authentication as it's believed to be superfluous to use it instead of native protocol commands in the non-hostile backend environment.
I'm not sure what you mean by this, can you expand please?
I mean: nginx uses "LOGIN" when talking to IMAP backends, "USER/PASS" when talking to POP3 backends, and I don't see reasons to use SASL mechanisms instead when talking to backends.
If this were 1993, I might understand this. However, using SASL as an authentication mechanism has been standarized for a few decades now, and is part of all the major MTAs and IMAP, POP, etc servers. It is also all quite standardized:
http://www.sendmail.org/~ca/email/auth.html http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_cyrussasl_authenticator.html http://www.postfix.org/SASL_README.html https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html
There is SASL support in nginx mail module though, and it happily authenticates users with PLAIN, LOGIN and CRAM-MD5 SASL mechanisms (as long as http_auth script used is able to handle this).
These are particularly limited SASL mechanisms. Ours adds support for linking to cyrus-sasl, for extended SASL mechanisms such as GSSAPI, SPNEGO, etc. If that's not of interest, that's fine, but it's generally much more useful security wise.
No, linking to cyrus-sasl isn't an option, thanks.
The linking is entirely optional, but allows those who are concerned with actual security to enable secure mechanisms for communicating via SMTP, POP, IMAP, etc.
By ignoring modern SASL mechanisms (i.e., post 1993), you're eliminating wide swathes of the world from using nginx, particularly government, military, and educational institutions, which often have tight requirements for secure authentication mechansisms such as Kerberos5 (SASL/GSSAPI).
I would hope that increasing the security of nginx was actually a priority to the developers.
Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration