Frank Ellermann wrote:
Tony Finch wrote:
The SASL EXTERNAL method means that the client has been authenticated by
some means external to SASL (e.g. TLS, or in my case IP addresses and
knowledge of the network topology) and that the client wants the server
to make its access control decision using this information with the
authorization identity that the client provides via SASL.
JFTR, I think on top of TLS you'd get ESMTPSA with RFC 3848, not ESMTPA.
Right :-)
My point was about ESMTPA, and of course I forgot the EXTERNAL mechanism.
But it's not so bad that I'll now go and fix the Wikipedia article about
CRAM-MD5... ;-)
BTW, RFC 4422 and Wikipedia only mention TLS and IPsec,
I've only seen SASL EXTERNAL over TLS.
but not RADIUS,
my first guess what EXTERNAL could be about.
SASL EXTERNAL allows anything, but unfortunately a server/client
implementation has to understand what kind of "anything" is used in any
particular case, or implementations wouldn't interoperate. So if the
client is using SASL EXTERNAL over IPSec, the other end is better be
supporting the same thing.
Something wrong with that, or is it just another case of "security folks hate
KISS" ?
I dislike how underspecified SASL EXTERNAL is, however it was always the
case (even in RFC 2222).