On Thu, Feb 25, 2010 at 01:42:27PM -0500, zhong ming wu wrote:
> > Postfix does not implement the "external" SASL mechanism for
> > authenticating users via TLS client certs.
>
> So it sends user/password to dovecot socket and get yes/no answer?
Postfix copies SASL protocol requests between the SMTP client and the
SASL library. Postfix does not know whether the packets contain passwords
for a PLAIN mechanism or some complex handshake for CRAM-MD5 or GSSAPI.
Regardless, Postfix has no support for "external" AUTH whether via TLS
or by other means.
> > TLS is hop-by-hop, not end to end. With TLS the client authenticates
>
> I would call a server dedicated only to my own users specifically for
> relay at a submission port "end to end."
I was explaining that the TLS connection terminates at the Postfix SMTP
server, and Dovecot does not see the TLS exchange, it is not end-to-end
from the the SMTP client to Dovecot. Disputing the explanation is unwise.
If it is unclear, feel free to ask further questions.
> > Such glue would be fragile in any case, as one needs to be extremely
> > careful which CAs one is willing to trust in this context, and most
> > users would get this wrong and be open relays for anyone who can
> > get a client cert from a public CA. I do not recommend this feature.
>
> My dovecot server trusts certs signed by my own private CA. With
> postfix I would think
> it would be a matter of maintaining two separate lists of CA.
I stand by my point, this would be a high-risk feature that a lot
of users would misconfigure.
Have you considered client cert fingerprints and check_ccert_access?
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
