Expand description
§rusmes-auth
Pluggable authentication backends for the RusMES mail server.
§Overview
rusmes-auth provides a unified AuthBackend trait that abstracts over multiple
authentication strategies. All backends implement the same async interface, allowing
them to be composed, swapped, or wrapped by middleware such as the brute-force
protector found in the security module.
§Backends
| Backend | Module | Notes |
|---|---|---|
| File (htpasswd-style) | file | bcrypt hashes, atomic writes |
| LDAP / Active Directory | backends::ldap | connection pooling, group filtering |
| SQL (SQLite / Postgres / MySQL) | backends::sql | bcrypt + Argon2 + SCRAM-SHA-256 |
| OAuth2 / OIDC | backends::oauth2 | JWT validation, XOAUTH2 SASL |
| System (Unix) | backends::system | Pure Rust /etc/shadow auth |
§SASL Mechanisms
The sasl module implements RFC-compliant SASL mechanisms on top of any AuthBackend:
PLAIN(RFC 4616)LOGIN(obsolete but widely supported)CRAM-MD5(RFC 2195)SCRAM-SHA-256(RFC 5802 / RFC 7677)XOAUTH2(RFC 7628)
§Security
The security module provides:
- Brute-force / account-lockout protection (progressive lockout)
- Per-IP rate limiting
- Password strength validation (entropy, character class, banned list)
- In-memory audit logging
§Example
use rusmes_auth::file::FileAuthBackend;
use rusmes_auth::AuthBackend;
use rusmes_proto::Username;
let backend = FileAuthBackend::new("/etc/rusmes/passwd").await?;
let user = Username::new("alice".to_string())?;
let ok = backend.authenticate(&user, "s3cr3t").await?;
println!("authenticated: {ok}");Modules§
- backends
- Authentication backend implementations
- file
- File-based authentication backend (htpasswd-style with bcrypt password hashing)
- sasl
- SASL (Simple Authentication and Security Layer) Framework
- security
- Authentication security module