permit_tls_clientcerts with CN matching

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

permit_tls_clientcerts with CN matching

lst_hoe02
Hello,

we need to authenticate a SMTP client connection base on the CN of the  
(trusted) client certificate. The client is not under our control  
(O365 connector), so we will get no notification if the key  
fingerprint will change. As far as i can see Postfix is only able to  
use certificate fingerprints to allow relaying, not the CN string, no?

Have i missed something or is this not considered a valid use case?

Regards

Andreas



Reply | Threaded
Open this post in threaded view
|

Re: permit_tls_clientcerts with CN matching

Wietse Venema
[hidden email]:
> Hello,
>
> we need to authenticate a SMTP client connection base on the CN of the  
> (trusted) client certificate. The client is not under our control  
> (O365 connector), so we will get no notification if the key  
> fingerprint will change. As far as i can see Postfix is only able to  
> use certificate fingerprints to allow relaying, not the CN string, no?
>
> Have i missed something or is this not considered a valid use case?

CN-based access checks are not built into Postfix, but the CN is
available in the policy delegation protocol's ccert_subject attribute,
if the client certificate can be verified with PKI.

There is a patch-in-progress (thread: TLS client certificates and
auth external) that provides the option to permit relaying based
on certificate info.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: permit_tls_clientcerts with CN matching

Emmanuel Fusté-2
Le 27/03/2019 à 15:15, Wietse Venema a écrit :

> [hidden email]:
>> Hello,
>>
>> we need to authenticate a SMTP client connection base on the CN of the
>> (trusted) client certificate. The client is not under our control
>> (O365 connector), so we will get no notification if the key
>> fingerprint will change. As far as i can see Postfix is only able to
>> use certificate fingerprints to allow relaying, not the CN string, no?
>>
>> Have i missed something or is this not considered a valid use case?
> CN-based access checks are not built into Postfix, but the CN is
> available in the policy delegation protocol's ccert_subject attribute,
> if the client certificate can be verified with PKI.
>
> There is a patch-in-progress (thread: TLS client certificates and
> auth external) that provides the option to permit relaying based
> on certificate info.
>
> Wietse
Hello,

I missed this thread too ! I need to go one step further. Will develop
in the tread.

Emmanuel.
Reply | Threaded
Open this post in threaded view
|

Re: permit_tls_clientcerts with CN matching

lst_hoe02
In reply to this post by Wietse Venema

Zitat von Wietse Venema <[hidden email]>:

> [hidden email]:
>> Hello,
>>
>> we need to authenticate a SMTP client connection base on the CN of the
>> (trusted) client certificate. The client is not under our control
>> (O365 connector), so we will get no notification if the key
>> fingerprint will change. As far as i can see Postfix is only able to
>> use certificate fingerprints to allow relaying, not the CN string, no?
>>
>> Have i missed something or is this not considered a valid use case?
>
> CN-based access checks are not built into Postfix, but the CN is
> available in the policy delegation protocol's ccert_subject attribute,
> if the client certificate can be verified with PKI.
>
> There is a patch-in-progress (thread: TLS client certificates and
> auth external) that provides the option to permit relaying based
> on certificate info.
>
> Wietse

Will this be available in the 3.5 experimental release or only later  
down the road for 3.6?

Thanks

Andreas


Reply | Threaded
Open this post in threaded view
|

Re: permit_tls_clientcerts with CN matching

Wietse Venema
[hidden email]:

> Zitat von Wietse Venema <[hidden email]>:
> > [hidden email]:
> >> Hello,
> >>
> >> we need to authenticate a SMTP client connection base on the CN of the
> >> (trusted) client certificate. The client is not under our control
> >> (O365 connector), so we will get no notification if the key
> >> fingerprint will change. As far as i can see Postfix is only able to
> >> use certificate fingerprints to allow relaying, not the CN string, no?
> >>
> >> Have i missed something or is this not considered a valid use case?
> >
> > CN-based access checks are not built into Postfix, but the CN is
> > available in the policy delegation protocol's ccert_subject attribute,
> > if the client certificate can be verified with PKI.
> >
> > There is a patch-in-progress (thread: TLS client certificates and
> > auth external) that provides the option to permit relaying based
> > on certificate info.
> >
> > Wietse
>
> Will this be available in the 3.5 experimental release or only later  
> down the road for 3.6?

In the current (3.5) development cycle, if this can be done safely.

        Wietse