SASL support for mail proxy in NGINX

Maxim Dounin mdounin at mdounin.ru
Tue Sep 9 01:59:34 UTC 2014


Hello!

On Mon, Sep 08, 2014 at 03:28:01PM -0700, Quanah Gibson-Mount wrote:

> --On Tuesday, September 09, 2014 12:49 AM +0400 Maxim Dounin
> <mdounin at mdounin.ru> wrote:
> 
> >>> We plan on adding SASL support to SMTP as well unless you guys have
> >>> plan to do that already ?
> >>
> >>Any nginx developers have any thoughts on this?
> >
> >When talking to mail backends, nginx doesn't use SASL for
> >authentication as it's believed to be superfluous to use it
> >instead of native protocol commands in the non-hostile backend
> >environment.
> 
> I'm not sure what you mean by this, can you expand please?

I mean: nginx uses "LOGIN" when talking to IMAP backends, 
"USER/PASS" when talking to POP3 backends, and I don't see reasons 
to use SASL mechanisms instead when talking to backends.

> >There is SASL support in nginx mail module though, and it happily
> >authenticates users with PLAIN, LOGIN and CRAM-MD5 SASL mechanisms
> >(as long as http_auth script used is able to handle this).
> 
> These are particularly limited SASL mechanisms.  Ours adds support for
> linking to cyrus-sasl, for extended SASL mechanisms such as GSSAPI, SPNEGO,
> etc.  If that's not of interest, that's fine, but it's generally much more
> useful security wise.

No, linking to cyrus-sasl isn't an option, thanks.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list