Re: permit_tls_clientcerts with CN matching
lst_ho...@kwsoft.de: > Zitat von Wietse Venema : > > lst_ho...@kwsoft.de: > >> Hello, > >> > >> we need to authenticate a SMTP client connection base on the CN of the > >> (trusted) client certificate. The client is not under our control > >> (O365 connector), so we will get no notification if the key > >> fingerprint will change. As far as i can see Postfix is only able to > >> use certificate fingerprints to allow relaying, not the CN string, no? > >> > >> Have i missed something or is this not considered a valid use case? > > > > CN-based access checks are not built into Postfix, but the CN is > > available in the policy delegation protocol's ccert_subject attribute, > > if the client certificate can be verified with PKI. > > > > There is a patch-in-progress (thread: TLS client certificates and > > auth external) that provides the option to permit relaying based > > on certificate info. > > > > Wietse > > Will this be available in the 3.5 experimental release or only later > down the road for 3.6? In the current (3.5) development cycle, if this can be done safely. Wietse
Re: permit_tls_clientcerts with CN matching
Zitat von Wietse Venema : lst_ho...@kwsoft.de: Hello, we need to authenticate a SMTP client connection base on the CN of the (trusted) client certificate. The client is not under our control (O365 connector), so we will get no notification if the key fingerprint will change. As far as i can see Postfix is only able to use certificate fingerprints to allow relaying, not the CN string, no? Have i missed something or is this not considered a valid use case? CN-based access checks are not built into Postfix, but the CN is available in the policy delegation protocol's ccert_subject attribute, if the client certificate can be verified with PKI. There is a patch-in-progress (thread: TLS client certificates and auth external) that provides the option to permit relaying based on certificate info. Wietse Will this be available in the 3.5 experimental release or only later down the road for 3.6? Thanks Andreas
Re: permit_tls_clientcerts with CN matching
Le 27/03/2019 à 15:15, Wietse Venema a écrit : lst_ho...@kwsoft.de: Hello, we need to authenticate a SMTP client connection base on the CN of the (trusted) client certificate. The client is not under our control (O365 connector), so we will get no notification if the key fingerprint will change. As far as i can see Postfix is only able to use certificate fingerprints to allow relaying, not the CN string, no? Have i missed something or is this not considered a valid use case? CN-based access checks are not built into Postfix, but the CN is available in the policy delegation protocol's ccert_subject attribute, if the client certificate can be verified with PKI. There is a patch-in-progress (thread: TLS client certificates and auth external) that provides the option to permit relaying based on certificate info. Wietse Hello, I missed this thread too ! I need to go one step further. Will develop in the tread. Emmanuel.
Re: permit_tls_clientcerts with CN matching
lst_ho...@kwsoft.de: > Hello, > > we need to authenticate a SMTP client connection base on the CN of the > (trusted) client certificate. The client is not under our control > (O365 connector), so we will get no notification if the key > fingerprint will change. As far as i can see Postfix is only able to > use certificate fingerprints to allow relaying, not the CN string, no? > > Have i missed something or is this not considered a valid use case? CN-based access checks are not built into Postfix, but the CN is available in the policy delegation protocol's ccert_subject attribute, if the client certificate can be verified with PKI. There is a patch-in-progress (thread: TLS client certificates and auth external) that provides the option to permit relaying based on certificate info. Wietse
permit_tls_clientcerts with CN matching
Hello, we need to authenticate a SMTP client connection base on the CN of the (trusted) client certificate. The client is not under our control (O365 connector), so we will get no notification if the key fingerprint will change. As far as i can see Postfix is only able to use certificate fingerprints to allow relaying, not the CN string, no? Have i missed something or is this not considered a valid use case? Regards Andreas