> On Feb 3, 2017, at 1:08 PM, Jaime Hablutzel Egoavil <hablutz...@gmail.com>
> wrote:
>
> match_cert_to_user_policy_server.php:
>
> #!/usr/bin/php
> <?php
>
> $stdin = fopen('php://stdin', 'r');
> $postfixIncomingAttributes = array();
> while (true) {
> $line = fgets($stdin);
> if ($line == "\n") {
> break;
> }
> $splittedLine = preg_split("/=/", $line);
> $postfixIncomingAttributes[$splittedLine[0]] = trim($splittedLine[1]);
> }
> $userCertMappings = ['user1' =>
> '2E:DF:45:25:E1:50:60:DB:69:24:C3:80:C0:06:49:FE', "user2" =>
> '93:A6:23:A1:96:2E:4B:0D:6B:EE:2E:71:C5:F3:DC:24'];
> $saslUsername = $postfixIncomingAttributes['sasl_username'];
> $expectedCertFingerprint = isset($userCertMappings[$saslUsername]) ?
> $userCertMappings[$saslUsername] : null;
> if ($expectedCertFingerprint != null && $expectedCertFingerprint ==
> $postfixIncomingAttributes['ccert_fingerprint']) {
> fwrite(STDOUT, "action=ok\n");
> } else {
> fwrite(STDOUT, "action=reject\n");
> }
> fwrite(STDOUT, "\n");
Does this PHP script handle multiple policy lookup requests?
The smtpd(8) service expects a policy service to handle multiple
blank-line terminated requests.
You might also want to consider SHA256 or at least SHA1 digests
(smtpd_tls_fingerprint_digest = ...). The use of MD5, even where
only 2nd-preimage resistance is needed, is frowned upon these days.
--
Viktor.
