On Wed, Feb 24, 2010 at 11:46:10PM -0500, zhong ming wu wrote:
> With dovecot I can have my mail client send a certificate and make
> dovecote use CN field of the cert as username
> to authenticate. If I enable that feature in dovecot, postfix
> authentication does not work despite the fact that I am also
> sending the same cert to postfix. I wonder if there is a way to do
> that and I don't know how.
Postfix does not implement the "external" SASL mechanism for
authenticating users via TLS client certs.
> Also if I enable the feature "require client cert" with dovecot server
> then postfix auth again does not work. Is that
> because dovecot socket is not accepting cert information or postfix is
> not sending the information? Any way to make it work?
> What if I go with a cyrus sasl?
TLS is hop-by-hop, not end to end. With TLS the client authenticates
to the Postfix TLS library, not to any SASL plugin. Postfix has no
glue to communicate client certificate details to the SASL library.
Such glue would be fragile in any case, as one needs to be extremely
careful which CAs one is willing to trust in this context, and most
users would get this wrong and be open relays for anyone who can
get a client cert from a public CA. I do not recommend this feature.
If you want a decent SASL mechanism that is better than passwords,
use GSSAPI. Also, more MUAs support GSSAPI auth than client TLS auth.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
