On Wed, Jun 18, 2025 at 10:32:18AM +0100, Jeremy Harris via Exim-users wrote:
> On 2025/06/18 5:31 AM, Viktor Dukhovni via Exim-users wrote:
> > Jeremy, is there anything in Exim roughly equivalent to the Postfix
> > "fingerprint" security level?
>
> With the caveat that I'm no expert on what Postfix is offering,
> in Exim the server cert presented for a client connection is
> available in $tls_out_peercert, and can be fed to assorted
> hash operators (eg. ${sha256:...}) to obtain a fingerprint (*).
Understood, thanks. FWIW the "fingerprint" security level in Postfix
allows the SMTP client to authenticate the remote server by matching the
presented certificate or public key digest against any of a set of
expected fingerprints. The policy applicable to a given nexthop
destination is typically a result of a table lookup.
<nexthop> fingerprint match=digest [match=digest ...]
> This could be compared against a reference value, for example
> in the "client_condition" option of the authenticator being
> used for the OP connection.
Sounds like with a bit of attention to detail it should be possible to
put together equivalent logic in Exim. Use the nexthop as a lookup
key to find the expected digest(s) and then compare...
--
Viktor.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
