SASL support for mail proxy in NGINX
Maxim Dounin
mdounin at mdounin.ru
Tue Sep 9 01:59:34 UTC 2014
Hello!
On Mon, Sep 08, 2014 at 03:28:01PM -0700, Quanah Gibson-Mount wrote:
> --On Tuesday, September 09, 2014 12:49 AM +0400 Maxim Dounin
> <mdounin at mdounin.ru> wrote:
>
> >>> We plan on adding SASL support to SMTP as well unless you guys have
> >>> plan to do that already ?
> >>
> >>Any nginx developers have any thoughts on this?
> >
> >When talking to mail backends, nginx doesn't use SASL for
> >authentication as it's believed to be superfluous to use it
> >instead of native protocol commands in the non-hostile backend
> >environment.
>
> I'm not sure what you mean by this, can you expand please?
I mean: nginx uses "LOGIN" when talking to IMAP backends,
"USER/PASS" when talking to POP3 backends, and I don't see reasons
to use SASL mechanisms instead when talking to backends.
> >There is SASL support in nginx mail module though, and it happily
> >authenticates users with PLAIN, LOGIN and CRAM-MD5 SASL mechanisms
> >(as long as http_auth script used is able to handle this).
>
> These are particularly limited SASL mechanisms. Ours adds support for
> linking to cyrus-sasl, for extended SASL mechanisms such as GSSAPI, SPNEGO,
> etc. If that's not of interest, that's fine, but it's generally much more
> useful security wise.
No, linking to cyrus-sasl isn't an option, thanks.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list