------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1003 Summary: Extended (client) certificate verification in ACL Product: Exim Version: N/A Platform: Other OS/Version: Linux Status: NEW Severity: wishlist Priority: medium Component: TLS AssignedTo: [email protected] ReportedBy: [email protected] CC: [email protected] The only information about client certificates is the distinguished name available in $tls_peerdn and the verification output which can be checked using verify = certificate in an ACL. It would be extremely useful to be able to check the particular (root) certificate which verified the client certificate. One particular use would be to have a certificate authority which signs certificates on behalf of clients which are allowed relay access. It is not sufficient to merely check that a valid certificate is presented, otherwise any client which can present a certificate signed by any authority (e.g., verisign, cacert, etc.) would be allowed access. Setting only the permitted-relay certificate authority's root certificate as the verification certificate disables the opportunity to check certificates from clients which aren't relaying for validity and adding a header warning about possible spoofing, i.e., something like: X-Warning: Mail recieved from server claiming to be mail.paypal.com, but server did not present a certificate signed by any recognized authority. This may indicate a forgery attempt. I propose that an option to specify a particular certificate by added to the certificate verification condition. An example would be: verify = certificate/cert=/etc/mail/valid_relay.pem The condition would be true only if the client's certificate successfully verifies against this and only this certificate. It appears that anywhere a certificate is expected, a directory of certificates may be provided if OpenSSL is used. This should be the case here for consistency. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
