Thomas Harding <tom@xxxxxxxxxxxxxxxxxxx> writes: > Hello, > In fact the CMU manual have "todo" in this section, and I didn't find > anything in Google about that : > > * I would avoid user/password authentication and use only client > certificates to authenticate then login imap users. > > My searches didn't succeed on the ternet, however pkcs12 files > and physical security devices (credit-like cards, rfid...) seems > better (no password exchange even through TLS but a challenge > response to resent). > > However, I use my own created CA chain (with intermediate one) > to authenticate users in Postfix, not to account, which would > need the same process, and both postfix and cyrus ask for a > certificate issued from this secondary authority. > So, my postfix smtp_sender_restrictions rules allows mails from > certificates issued by my authority (permit_tls_all_clientcerts), > these users are logged as "trusted", while certificates from other > authorities are logged as anonymous. > > At same time, I have Sep 2 17:27:23 smtp2 cyrus/imaps[27137]: login: > [192.168.0.254] tom plain+TLS User logged in > > And I run imaps (tcp 993) only. > > So, how to use "TLS" authentication without plain/other authentication > mechanisms ? > > > * I wonder is something is planned on cyrus SASL to allow accounting > through X509 subject DN, with selected CA authorities > > > * I wonder if possible by configuration to allow only one or a set > of root or intermediate CAs from "the CA wallet" to "proof" only their > own users to log in, while I use a separate CA bundle into Postfix > to do that, but would prefer a sasl dedicated mechanism to avoid > double-check. > > These two points will allow a single or multiple points, the CAs, to > give user accounts without intervention on server (with an > autocreatemailbox at first connexion, but not at first received mail) > > Is something planned or done on any of these points? You may use OpenLDAP as identity provider, ldapdb as auxillary property plugin and SASL Mechanism EXTERNAL. -Dieter -- Dieter Klünter | Systemberatung sip: 7770535@xxxxxxxxxx http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
