Hi guys At the moment we use SASL authentication to allow our users to send mail through our mailer (Postfix 2.5). I would like to extend this to using client certificates for authentication as well.
Our users have personal certificates that are signed by a the "TERENA Personal CA". Due to the nature of this CA, it is guaranteed that all the attributes in the certificate are correct (see https://www.terena.org/activities/tcs/ for more information). So certificates with O=OrganisationX are therefore guaranteed to really be from Organisation X. I would like to use this to give relay access to my users. Regarding access control and client certs I can find: * allow all certs based on the issuer (smtpd_tls_CAfile). This is not an option because the CA also signs ccerts from other institutions. * allow certs based on their fingerprint (check_ccert_access). This is not scalable. Postfix has already access to at least the Common Name and Issuer attributes of the ccert, as can be seen by these headers: Received: from [192.168.2.199] (a213088.upc-a.chello.nl [62.163.213.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Dick Visser", Issuer "TERENA Personal CA" (verified OK)) (Authenticated sender: vis...@terena.org) by erasmus.terena.org (Postfix) with ESMTPSA id 6466087BC3 for <d...@tienhuis.nl>; Mon, 22 Mar 2010 21:33:38 +0100 (CET) Is there a way to restrict relaying access only to clients showing a certificate that has: * issuer "TERENA Personal CA" * O=TERENA * C=NL ? I guess what I am looking for is a new restriction called something like "check_ccert_attr", that would use user defined attributes to take decisions. That would be really scalable for our situation. Any ideas how to implement this in other ways? I looked into policy daemon options but Postfix does not pass any certificate information other than ccert_subject, ccert_issuer, and ccert_fingerprint, which is not enough for what we want. Thanks! -- Dick Visser System & Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands T +31 20 530 44 88 F +31 20 530 44 99 vis...@terena.org | www.terena.org
smime.p7s
Description: S/MIME Cryptographic Signature
