Authentication over SSL
Russ Allbery
rra at stanford.edu
Tue Sep 9 17:17:17 UTC 2008
Julien ÉLIE <julien at trigofacile.com> writes:
> All right! That sounds very good.
>
> Is it the same for AUTHINFO SASL? If there is no auth parameters, it
> should not be advertised.
I forget how the SASL support works. Is there anything in the
readers.conf file saying "support SASL" or is it entirely internal?
> In such cases, when there is no auth parameter, should AUTHINFO
> USER/PASS/SASL commands return 502? Or do we let the user try to
> authenticate (and it will fail at the end)?
You definitely want AUTHINFO USER to fail if you don't want the user to
authenticate, since that prevents sending the password over an unencrypted
connection. 502 is the correct error code.
> And if there is require_ssl and an auth parameter in the same auth
> block, I think AUTHINFO SASL should be advertised but SASL PLAIN and
> SASL EXTERNAL should not. Is that right? Are there other mechanisms
> not to advertise?
That sounds right. I can't think of any other auth mechanisms that we'd
need to restrict. (We probably don't have to restrict SASL EXTERNAL, but
it's fairly useless without TLS at least in the ways in which people
usually use it.)
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers
mailing list