Fredrik Melander wrote: > On behalf of my employer I'm trying to port a script I used to parse > x509-certificates with Postfix to work with Exim. This is my very first > experience with Exim so bare with me if my questions come across as > stupid. I did briefly plough through "The Exim SMTP mail server" (Hazel) > and searched the archive, unfortunately without ending up that much > wiser (well, in this regard). > > What I want to do is something along the following lines: > > Let's say I have a daemon process in form of a python-script listening > on a certain port on my machine. Upon recieving a x509-certificate from > a remote machine Exim deligates this to my script, preferably over TCP > but if not possible also through a pipe or similar. My script will then > decide if the email be accepted or not. > > With postfix I would simply have my daemon listening to a port of my > liking, say 5244, and then use a rule like: > > smtpd_recipient_restrictions = check_policy_service inet:localhost:5244 > > ...and so on... With Exim I've seen two options that I figure could do > something similar. First, the queryprogram router, and secondly the > run-command (in string expansions). The problems I see with these is > that my script gets started and stopped each time an email arrives > instead of remaining running as a daemon. Secondly, I haven't figured > out how to pass the appropriate arguments to them (with Postfix, for > example, I'd get a nice array with information about the client and it's > certificate "for free" without explicitly having to ask for it). > > I'm afraid my limited experience with Exim kind of prevents me from > asking the right questions, but I'd be very happy for any suggestions in > the matter. Is my problem somewhat clear? Are there any other possible > ways of achieving this? Is it at all possible for Exim to call my script > over a TCP-port like stated above?
You can connect to a tcp port by using the "readsocket" expansion as described on http://www.exim.org/exim-html-current/doc/html/spec_html/ch11.html I'm not sure if you can get access to the certificate details that you want though. $tls_peerdn contains the client certificate distinguished name if that is enough? You can also get the cipher used from $tls_cipher and whether or not the certificate verified from $tls_certificate_verified. They are all described on the same page as readsocket. -- Mike Cardwell (https://secure.grepular.com/) (http://perlcv.com/) -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
