From: James Devine (fxmuldergmail.com)
Date: Tue Apr 01 2008 - 11:28:52 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Taking a look at cyrus sasl I see I get the realm separate from the user but
it appears postfix strips off the realm information before sending to sasl
and even if smtpd_sasl_local_domain is set, it is changed to the realm sent
by the user. I assume there is no configurable way to change this?

On Tue, Apr 1, 2008 at 8:33 AM, Victor Duchovni <
Victor.Duchovnimorganstanley.com> wrote:

> On Tue, Apr 01, 2008 at 07:07:21AM +0200, Patrick Ben Koetter wrote:
>
> > * James Devine <fxmuldergmail.com>:
> > > Alright, I was able to get the multiple instances working and that
> seems to
> > > work just fine. I am now trying to get each to authenticate via
> > > sasl->pam->ldap. The authentication seems to work fine but I would
> like to
> > > be able to lock down each instance to the realm it is dedicated to,
> for
> > > example if domain1 is tied to instance1 and domain2 is tied to
> instance2 I
> > > would like to ensure that someone on domain1 doesn't authenticate via
> > > instance2. Does anyone know if here is a way to attach additional
> > > information to the authentication request or alter it to remove any
> realm
> > > information and attach my own?
> >
> > There's no way you can strip off or alter the realm. It the client sends
> a
> > realm it will pass and will be used. Only if the realm would not be
> sent,
> > Postfix might add $smtpd_sasl_local_domain.
>
> One variant of the question is how to configure the SASL backend for a
> given Postfix instance to only support users in a given realm. If
> the instance cannot authenticate users in the "wrong" realm, the OPs
> problem is solved.
>
> Postfix itself has no support for filtering the user realm. With GSSAPI
> (really Kerberos V under the hood) and cross-realm keys configured between
> suitable KDCs, it is not unreasonable to be able to restrict which realms
> are authorized to relay and which not (mere authentication, does not
> necessarily imply authorization). Perhaps some day there will be features
> to make more fine-grained use of the SASL user/realm in Postfix.
>
> --
> Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> <mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]