On Fri, Feb 3, 2017 at 1:19 PM, Viktor Dukhovni <postfix-us...@dukhovni.org>
wrote:
>
> > On Feb 3, 2017, at 1:08 PM, Jaime Hablutzel Egoavil <
> hablutz...@gmail.com> wrote:
> >
> > match_cert_to_user_policy_server.php:
> >
> > #!/usr/bin/php
> > <?php
> >
> > $stdin = fopen('php://stdin', 'r');
> > $postfixIncomingAttributes = array();
> > while (true) {
> > $line = fgets($stdin);
> > if ($line == "\n") {
> > break;
> > }
> > $splittedLine = preg_split("/=/", $line);
> > $postfixIncomingAttributes[$splittedLine[0]] =
> trim($splittedLine[1]);
> > }
> > $userCertMappings = ['user1' =>
> > '2E:DF:45:25:E1:50:60:DB:69:24:C3:80:C0:06:49:FE',
> "user2" => '93:A6:23:A1:96:2E:4B:0D:6B:EE:2E:71:C5:F3:DC:24'];
> > $saslUsername = $postfixIncomingAttributes['sasl_username'];
> > $expectedCertFingerprint = isset($userCertMappings[$saslUsername]) ?
> $userCertMappings[$saslUsername] : null;
> > if ($expectedCertFingerprint != null && $expectedCertFingerprint ==
> $postfixIncomingAttributes['ccert_fingerprint']) {
> > fwrite(STDOUT, "action=ok\n");
> > } else {
> > fwrite(STDOUT, "action=reject\n");
> > }
> > fwrite(STDOUT, "\n");
>
> Does this PHP script handle multiple policy lookup requests?
> The smtpd(8) service expects a policy service to handle multiple
> blank-line terminated requests.
>
Multiple blank-line terminated requests in only one TCP request?. If so,
under which circumstances?.
>
> You might also want to consider SHA256 or at least SHA1 digests
> (smtpd_tls_fingerprint_digest = ...). The use of MD5, even where
> only 2nd-preimage resistance is needed, is frowned upon these days.
>
Thanks for the suggestion, as we are currently at prototyping stage we
haven't got into the security details, but we'll do when working on the
production solution.
>
> --
> Viktor.
>
>
--
Jaime Hablutzel - RPC 994690880
