> On Jul 31, 2017, at 9:06 AM, A. Schulze <s...@andreasschulze.de> wrote:
>
> Postfix smtp server may classify incoming TLS sessions as anonymous,
> untrusted and trusted.
> (http://www.postfix.org/FORWARD_SECRECY_README.html#status)
>
> Is it possible to access this information from within a milter?
Some TLS information is made available to milters:
#ifdef USE_TLS
#define IF_ENCRYPTED(x) (state->tls_context ? (x) : 0)
#define IF_TRUSTED(x) (TLS_CERT_IS_TRUSTED(state->tls_context) ? (x) : 0)
if (strcmp(name, S8_MAC_TLS_VERSION) == 0)
return (IF_ENCRYPTED(state->tls_context->protocol));
if (strcmp(name, S8_MAC_CIPHER) == 0)
return (IF_ENCRYPTED(state->tls_context->cipher_name));
if (strcmp(name, S8_MAC_CIPHER_BITS) == 0) {
if (state->tls_context == 0)
return (0);
vstring_sprintf(state->expand_buf, "%d",
IF_ENCRYPTED(state->tls_context->cipher_usebits));
return (STR(state->expand_buf));
}
if (strcmp(name, S8_MAC_CERT_SUBJECT) == 0)
return (IF_TRUSTED(state->tls_context->peer_CN));
if (strcmp(name, S8_MAC_CERT_ISSUER) == 0)
return (IF_TRUSTED(state->tls_context->issuer_CN));
#endif
> I did not found such funktionallity on
> http://www.postfix.org/MILTER_README.html#macros
> so I expect "not documented -> not implemented" but I would like to be sure.
> Maybe I've overseen it...
You'll only get issuer and subject "CN" information when a client
certificate is present and trusted. So anonymous and untrusted
appear identical to milters, while "trusted" will generally provide
a subject and issuer CN. Sometimes the subject will have no CN,
but a missing issuer CN is far less common, and unlikely to also be
trusted in that case.
--
Viktor.
