Authentication

📄️ Authenticate clients using X.509 certificates

For client authentication, in addition to various password authentication methods, Halon supports X.509 client certificate authentication. During the STARTTLS handshake it's possible for the server (Halon) to ask for a X.509 client certificate (peer certificate). If the client provides a certificate it can later be obtained from the $connection variable. If Halon is acting as a client (delivering mail), you can set a client certificate using the tlsclientcert option to the Try function in the Pre-delivery context.

📄️ Implement a custom SASL authentication mechanism

By default Halon supports two SASL AUTH mechanisms (LOGIN and PLAIN). Both of these mechanisms are simple username/password based methods which does not require complex state transitions or a server based reply in order to obtain a username and password which can then be easily authenticated in the AUTH script. There are various way of verifying the username and password, common way of doing so in the Halon MTA includes

📄️ Restrict SASL users to certain sender domains

If you are hosting a sending infrastructure, it may be a good idea to restrict a specific SASL username to a fixed set of sending domains in order to prevent abuse. It could be that you already have users with their sending domain in the SASL username or that you need to look up this information in a external database. The following checks can be done in the MAIL FROM context or at any later stage.