Re: How to authenticate through a X509/pkcs12 client certificate (SSLv3/ [RFC 5246 ?] authentication only)?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Thomas Harding <tom@xxxxxxxxxxxxxxxxxxx> writes:

> Hello,
> In fact the CMU manual have "todo" in this section, and I didn't find
> anything in Google about that :
> * I would avoid user/password authentication and use only client
> certificates to authenticate then login imap users.
> My searches didn't succeed on the ternet, however pkcs12 files
> and physical security devices (credit-like cards, rfid...) seems
> better (no password exchange even through TLS but a challenge
> response to resent).
> However, I use my own created CA chain (with intermediate one)
> to authenticate users in Postfix, not to account, which would
> need the same process, and both postfix and cyrus ask for a
> certificate issued from this secondary authority.
> So, my postfix smtp_sender_restrictions rules allows mails from
> certificates issued by my authority (permit_tls_all_clientcerts),
> these users are logged as "trusted", while certificates from other
> authorities are logged as anonymous.
> At same time, I have Sep  2 17:27:23 smtp2 cyrus/imaps[27137]: login:
> [] tom plain+TLS User logged in
> And I run imaps (tcp 993) only.
> So, how to use "TLS" authentication without plain/other authentication
> mechanisms ?
> * I wonder is something is planned on cyrus SASL to allow accounting
> through X509 subject DN, with selected CA authorities
> * I wonder if possible by configuration to allow only one or a set
> of root or intermediate CAs from "the CA wallet" to "proof" only their
> own users to log in, while I use a separate CA bundle into Postfix
> to do that, but would prefer a sasl dedicated mechanism to avoid
> double-check.
> These two points will allow a single or multiple points, the CAs, to
> give user accounts without intervention on server (with an
> autocreatemailbox at first connexion, but not at first received mail)
> Is something planned or done on any of these points?

You may use OpenLDAP as identity provider, ldapdb as auxillary
property plugin and SASL Mechanism EXTERNAL.


Dieter Klünter | Systemberatung
sip: 7770535@xxxxxxxxxx

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux