> On Jan 8, 2019, at 5:17 PM, Bastian Schmidt <bastian.schm...@web.de> wrote:
> 
> I have an email client (K-9 on Android), which, when using TLS client 
> certificates insists on sending an auth external. However, postfix/SASL does 
> not advertise external auth, which causes the client to not being able to use 
> client certificates with postfix.
> 
> As I see it, postfix is missing the external mechanism as specified in RFC 
> 2222 (SASL) completely. Thus, I have implemented this feature (for TLS CA 
> client certs) and I am currently successfully running this on a local 
> installation using cyrus sasl.
> 
> I would be willing to provide a patch and would really like to see this 
> integrated in future versions of postfix.
> 
> I hope this is the right postfix mailing list for this request.

Well perhaps postfix-devel is equally or more appropriate.

There is a key design issue here:

 * In typical Postfix configurations we see relay restrictions of
   the form:

        smtpd_relay_restrictions = 
                permit_mynetworks,
                permit_sasl_authenticated,
                reject_unauth_destination

   which is fine, when the user has enrolled for a login account
   on the receiving system.  But with client certs, anyone can get
   a client certificate from some CA, or even mint their own.

   So what does "SASL authenticated" mean with client certs?  Is
   there a particular issuing CA that's the only one trusted to
   issue client certs?  Or does the client certificate fingerprint
   need to match a lookup table for it to be considered authenticated?

   My advice is that a trusted CA, and likely often accidentally every
   CA on the planet from one of the usual CA bundles, is much too risky
   in this context, and would drag in revocation lists, OCSP, and that
   whole dumpster-fire of PKI issues.

   Therefore, the meaning of SASL authenticated for EXTERNAL should be
   that the client certificate fingerprint matches a lookup table that
   maps the client certificate to something resembling a SASL user name.

   You would then either "permit_sasl_authenticated" without distinguishing
   between one user and another, or else use "check_sasl_access" based on
   username obtained from the fingerprint->username map.  You could also
   then use the "sender login mismatch" features by matching the username
   with valid sender addresses, ...

Otherwise, "EXTERNAL" should be fairly straight-forward.  Feel free to
move the discussion to postfix-devel, or continue here to the extent
the discussion stays high level, rather than dives into the implementation.

-- 
        Viktor.

Reply via email to