On 02/09/10 21:11 +0200, Thomas Harding wrote:
However, I use my own created CA chain (with intermediate one)
to authenticate users in Postfix, not to account, which would
need the same process, and both postfix and cyrus ask for a
certificate issued from this secondary authority.
So, my postfix smtp_sender_restrictions rules allows mails from
certificates issued by my authority (permit_tls_all_clientcerts),
these users are logged as "trusted", while certificates from other
authorities are logged as anonymous.
At same time, I have Sep 2 17:27:23 smtp2 cyrus/imaps[27137]: login:
[192.168.0.254] tom plain+TLS User logged in
And I run imaps (tcp 993) only.
So, how to use "TLS" authentication without plain/other authentication
mechanisms ?
* I wonder is something is planned on cyrus SASL to allow accounting
through X509 subject DN, with selected CA authorities
The cyrus sasl library facilitates the use of authentication of a TLS
session via the EXTERNAL mechanism. However, such support must be
implemented by the server in question (such as Postfix).
Servers typically implement support by providing a STARTTLS command, and
using some information contained in the certificate to derive a username.
How the server derives the username is up to the server.
For instance, the imapd server does this in its starttls implementation:
/* From imap/tls.c */
*authid = peer_CN[0] ? xstrdup(peer_CN) : NULL;
/* from imap/imapd.c */
result = sasl_setprop(imapd_saslconn, SASL_AUTH_EXTERNAL, auth_id);
Which presumably means that whatever is in the common name of the
certificate will become the authenticated identity.
I believe sendmail, cyrus imap, and openldap support such authentication. I
don't believe postfix does. I cannot find any mention of SASL_AUTH_EXTERNAL
in its source.
--
Dan White
