Re: [exim] Dovecot style Authentication Policy Server for Ex…

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Heiko Schlittermann
日付:  
To: exim-users
新しいトピック: Re: [exim] Dovecot style Authentication Policy Server for Exim? ** SOLUTION **
題目: Re: [exim] Dovecot style Authentication Policy Server for Exim?
Mike Tubby via Exim-users <exim-users@???> (Di 17 Mär 2020 01:51:55 CET):
> All,
>
> Dovecot IMAP/POP3 server has a built-in Authentication Policy sub-system
> whereby it can make a web-services call to to an Authentication Policy
> Server:
>
> 1.     command: on connect, before authentication
> 2.     command: on connect, after authentication
> 3.     report: on final outcome of policy + authentication
>
> It would be "really good"(tm) if Exim could implement a similar
> concept/service/API as it would allow me to leverage GEOIP against possible
> attackers of some (protected) services and report back in to a common
> database of failed connections for (a) GEOIP policy or (b) username/password


Maybe I'm missing the point, but something *like* this comes into my
mind immediatly: (at least as POC it should be ok)

    PLAIN:
        driver = plaintext
        server_condition = ${perl{do_auth}{$auth1}{$auth2}{$sender_host_address}}


And provide a Perl subrouting do_auth, that does the actual
authentication.

But then, of course, you've to implement the actual auth in the perl
function.

Maybe even that would work, but I'm not sure if we're flexible enough
with the ACL

begin acl

    acl_auth:
        require = <pre-auth>
        require = <auth>
        require = <report>
        accept


begin authenticators

    PLAIN:
        driver = plaintext
        server_condition = acl_auth


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -