Wietse,
we've already discussed this once and I would like to catch up on the idea to
expand SASL login to sender mapping to a more general identity to sender
mapping.
Status Quo
Postfix currently supports SASL login name to envelope sender mapping in order
to control which SASL login name may use a particular envelope sender address.
Goal
I suggest to open this mapping to a more generic context where also TLS client
certificate fingerprints and TLS client public key fingerprints may be used to
associate them with an envelope sender address.
The map logic as well as the restrictions to enforce usage identity to
envelope sender are already in place, but their names are specific to SASL
login names.
I propose we add functionality to identify clients by TLS client
certificate fingerprints and TLS client public key fingerprints and
additionally change the SASL login specific names to a more generic form that
makes them recognizable in a wider context.
I've used existing documentation to demonstrate how these names could change
(see attached smtpd_identity_sender_mapping.txt) and what their purpose would
be. Whenever I changed an options name I've put the old on in square brackets
behind the new name.
Additionally I suggest I'd write documentation that extracts relevant parts
from TLS_README and SASL_README and brings them together in a new
IDENTITY_README.
p@rick
P.S.
In an even wider scope it might be interesting to map a client IP address to a
sender name. One could restrict a satellite server to e.g. use only
root@satellite as envelope sender limiting it to something cron messages only.
Not sure if this is a real good feature, but it fits in the context of mapping
an identity to a sender name.
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
smtpd_identity_sender_maps (default: $smtpd_login_sender_maps)
Optional lookup table with identities that own envelope sender (MAIL
FROM) addresses.
A valid identity can either be
- a SASL login name
- a TLS client certificate fingerprint
- a TLS client public key fingerprint
Specify zero or more "type:table" lookup tables. With lookups from
indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or
SQL, the following search operations are done with a sender address of
user@domain:
1) user@domain
This table lookup is always done and has the highest precedence.
2) user
This table lookup is done only when the domain part of the sender
address matches $myorigin, $mydestination, $inet_interfaces or
$proxy_interfaces.
3) @domain
This table lookup is done last and has the lowest precedence.
In all cases the result of table lookup must be either "not found" or a
list of SASL login names, TLS client certificate fingerprints or TLS client
public key fingerprints separated by comma and/or whitespace.
permit_tls_clientcert_fingerprints
Permit the request when the remote SMTP client public key fingerprint
is listed in $relay_clientcerts. The fingerprint digest algorithm is
configurable via the smtpd_tls_fingerprint_digest parameter (hard-coded as md5
prior to Postfix version 2.5). See TLS_README for a discussion of the
permit_tls_clientcert_fingerprints feature.
This feature is available in Postfix 2.8 and later. In earlier releases
it was called permit_tls_clientcerts.
permit_tls_clientpkey_fingerprints
Permit the request when the remote SMTP client certificate fingerprint
is listed in $relay_clientcerts. The fingerprint digest algorithm is
configurable via the smtpd_tls_fingerprint_digest parameter (hard-coded as md5
prior to Postfix version 2.5). See TLS_README for a discussion of the
permit_tls_clientpkey_fingerprints feature
This feature is available in Postfix 2.8 and later. In earlier releases
it was called permit_tls_clientcerts.
relay_clientpkeys (default: empty)
List of tables with remote SMTP client TLS public key fingerprints for
which the Postfix SMTP server will allow access with the
permit_tls_clientpkey_fingerprints feature.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to Postfix
version 2.5).
Postfix lookup tables are in the form of (key, value) pairs.
Since we only need the key, the value can be chosen freely, e.g. the name of
the user or host:
D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
[email protected]
Example:
relay_clientcerts = hash:/etc/postfix/relay_pubkeys
For more fine-grained control, use check_ccert_access to select an
appropriate access(5) policy for each client. See RESTRICTION_CLASS_README.
This feature is available with Postfix version 2.8.
smtpd_sender_restrictions (default: empty)
...
reject_authenticated_sender_identity_mismatch [former: ]
Enforces the reject_sender_identity_mismatch restriction for
authenticated clients only. This feature is available in Postfix version 2.8
and later. In earlier releases it was called
reject_authenticated_sender_login_mismatch.
reject_sender_identity_mismatch [former: reject_sender_login_mismatch]
Reject the request when $smtpd_identity_sender_maps specifies an
owner for the MAIL FROM address, but the client is not identified as that MAIL
FROM
address owner; or when the client is identified, but the client
identity doesn't own the MAIL FROM address according to
$smtpd_identity_sender_maps. This feature is available in Postfix version 2.8
and later. In earlier releases it was called reject_sender_login_mismatch.
reject_unauthenticated_sender_identity_mismatch [former:
reject_unauthenticated_sender_login_mismatch]
Enforces the reject_sender_identity_mismatch restriction for
unauthenticated clients only. This feature is available in Postfix version 2.8
and later. In earlier releases it was called
reject_unauthenticated_sender_login_mismatch.
