mirror of
https://github.com/tomav/docker-mailserver.git
synced 2024-06-29 12:41:27 +02:00
611a66bf98
* fix: Dovecot PassDB should restrict allowed auth mechanisms This prevents PassDBs incompatible with certain auth mechanisms from logging failures which accidentally triggers Fail2Ban. Instead only allow the PassDB to be authenticated against when it's compatible with the auth mechanism used. * tests: Use `curl` for OAuth2 login test-cases instead of netcat `curl` provides this capability for both IMAP and SMTP authentication with a bearer token. It supports both `XOAUTH2` and `OAUTHBEARER` mechanisms, as these updated test-cases demonstrate. * chore: Add entry to `CHANGELOG.md`
15 lines
782 B
Plaintext
15 lines
782 B
Plaintext
# Allow clients to use these additional mechanisms:
|
|
auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
|
|
|
|
# Dovecot docs consider the oauth2 driver as a "success/failure" type PassDB:
|
|
# https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/#success-failure-database
|
|
# Which implies it cannot be configured for the non-plaintext SASL mechanisms listed here:
|
|
# https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/#dovecot-supports-the-following-non-plaintext-mechanisms
|
|
# However that is not the case, these mechanisms are still valid to prevent trying other incompatible mechanisms (like `plain`).
|
|
|
|
passdb {
|
|
driver = oauth2
|
|
mechanisms = xoauth2 oauthbearer
|
|
args = /etc/dovecot/dovecot-oauth2.conf.ext
|
|
}
|