Comments (4)
foxcpp
commented on May 15, 2024
Another thing is that users may want to have different storage associated with accounts coming from different auth. backends. Currently, authentication is fully separate from storage and we have the concept of "auth account" and "storage account". This makes it difficult to build some sort of association.
We can allow authentication modules to return some kind of "association tag", which could then be consumed by storage backend.
There are multiple ways to implement such association tags. Depending on the level of abstraction you want them to be on.
SMTP, Pipeline: Allow branching directives to inspect association tag created by authentication provider (using syntax described in #32):
if $authsource = pam {
}
Approach A: Extend authentication provider interface:
type AuthProvider interface {
CheckPlain(username, password) (associationTag string, err error)
}Extend storage IMAP interface in similar way:
type StorageBackend interface {
GetUser(assocationTag, username, password string) (backend.User, error)
}Then implement multi storage backend and authentication provider capable of making use of these association tags for purposes of dispatching.
from maddy.
foxcpp
commented on May 15, 2024
Approach B: Move dispatching logic to the upper level.
Do all dispatching at the endpoint (or pipeline) module level, using auth. provider instance names as "association tags".
imap ... {
auth multi local_users {
user pam
pass virtual { file /var/lib/maddy/local-passwd }
}
auth multi virtual_users {
user virtual { file /var/lib/maddy/virtual-users }
pass virtual { file /var/lib/maddy/virtual-passwd }
}
storage {
auth local_users maildir { root /var/spool/ }
auth virtual_users sql
}
}
submission ... {
auth multi local_users {
user pam
pass virtual { file /var/lib/maddy/local-passwd }
}
auth multi virtual_users {
user virtual { file /var/lib/maddy/virtual-users }
pass virtual { file /var/lib/maddy/virtual-passwd }
}
if $auth = virtual_users {
...
}
}
Side-note: Common auth expressions can be factored out into a snippet:
(auth) {
auth multi local_users {
user pam
pass virtual { file /var/lib/maddy/local-passwd }
}
auth multi virtual_users {
user virtual { file /var/lib/maddy/virtual-users }
pass virtual { file /var/lib/maddy/virtual-passwd }
}
}
Or we might want to allow specificing auth directive at top level.
Okay, I think Approach B is more clear and Approach A basically ruins all existing abstractions, while B builds on them.
from maddy.
foxcpp
commented on May 15, 2024
multi instance_name { user pam user virtual { file /etc/maddy/userlist } pass virtual { file /etc/maddy/passwd } }
Side note: Not all PAM modules differentiate between "user doesn't exist" and "invalid password" so this setup may be problematic in reality.
from maddy.
foxcpp
commented on May 15, 2024
auth multi local_users {
user pam
pass virtual { file /var/lib/maddy/local-passwd }
}
auth multi virtual_users {
user virtual { file /var/lib/maddy/virtual-users }
pass virtual { file /var/lib/maddy/virtual-passwd }
}
Also this needs extension of config.Map to allow multiple values for directives.
from maddy.
Related Issues (20)
- Gandi dns-01 challenge fail: 400 Absolute rrset_name must end with mydomain.org HOT 8
- Quarantined message discarded HOT 3
- Bug report: empty smtp.mailfrom on Delivery Status Notification (DSN) HOT 5
- No usable MXs when sending to IPv6-only domain
- Feature request - replace_rcpt sql_query {} should handle multiple results HOT 3
- Error Message should Validate Username is in Domain for Authentication Error HOT 1
- POP3 support HOT 2
- Check the From header for inbound mail HOT 2
- Bug report: ssl cert expired for docs site HOT 6
- Strict CRLF check in SMTP protocol
- Unable to start Ubuntu 22.04.3 LTS aarch64 HOT 8
- [Feature request] auto configure DKIM key via libdns HOT 2
- Bug report: submission: listening on tls://0.0.0.0:465 not open HOT 1
- cannot specify tls_client directive HOT 4
- Feature request: additional infos in "queue: delivered" logging HOT 1
- Feature request System command filter. run_on header
- queue: infinite retries after reducing max_tries and bogus retry interval HOT 2
- cross compilation error : pq.Error does not implement error (method Error has pointer receiver) HOT 2
- Documentation for aliases
- Feature request: Make the DMARC check to be enforced regardless of DMARC record existence
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from maddy.