I'm observing that these attributes, ccert_subject and ccert_issuer, when sent in a SMTPD access policy request, only contain the common name (if available) of the respective distinguished names (subject or issuer). Why is it so?. Why don't you provide the full DNs as they would allow for better decision making in the policy server?. For example, given the following subject DN:
CN=John Doe, emailaddress=j...@example.org If I receive it in my policy server I could match it to the 'jdoe' SASL authenticated user (to support the requirement of client certificate authentication combined with SASL authentication) without the need to have a pre-registered certificate fingerprint, which is currently my only option if don't receive the emailaddress DN attribute, but only the CN. Taking this a step further, you could pass the entire client certificate in the access policy request (not always to avoid the performance penalty, but through the activation of specific configuration directive) so the policy server is allowed to make even better decisions, e.g. based on certificate policies extension. -- Jaime Hablutzel - RPC 994690880
