#1364 mod_auth_dovecot should send more data to dovecot

Reporter lukn
Owner Nobody
Stars ★ (1)
  • Component-Community
  • Priority-Medium
  • Status-Accepted
  • Type-Enhancement
  1. lukn on

    Description of feature: Prosody currently only sends username and password to dovecot. However, dovecot's authentication protocol allows much more information to be sent, e.g. client IP, client identification, if TLS was used. See: https://wiki1.dovecot.org/Authentication%20Protocol Motivation: (Why?) All this information can be used by dovecot to decide whether the authentication is successful. It would allow more authentication methods (e.g. accept only from specific IP, with specific client identifier, only when using TLS). Especially when combining dovecot with a policy server (weakforced) client IP address is required. Combining dovecot and weakforced is a very powerful setup which is able to detect brute force login attempts. I would gladly assist in implementing this additional data transfer. To do so, I would however need instructions how to get access to event/session data in auth modules. There does not seem to be any auth module using such data, which leads to the question if an auth module is able to access such information at all.

  2. Zash on

    Interesting. Develpoment of authentication modules is unfortunately severely underdocumented. These are what currently exists: https://prosody.im/doc/developers/auth https://prosody.im/doc/developers/sasl The session is passed to get_sasl_handler(), as can be seen here: https://hg.prosody.im/prosody-modules/file/86acfa44dc24/mod_auth_ccert/mod_auth_ccert.lua#l62 There is also an API that passes TLS details to allow for channel binding (ie SCRAM-PLUS).

    • tags Component-Community Status-Accepted

New comment

Not published. Used for spam prevention and optional update notifications.