Hello,
Great piece of work ! It solve a big part of my problem, but sadly I
need to go deeper.
Le 18/03/2019 à 22:45, Bastian Schmidt a écrit :
In the meantime I have completed a patch and sent it to Wietse and
Victor, which adds an option smtpd_sasl_tls_ccert_username.
As the patch is rather small, I also attached it to this message.
This smtpd_sasl_tls_ccert_username option can be used in the following
way:
Using smtpd_sasl_tls_ccert_username = commonName
After providing a verified client certificate, postfix advertises auth
external and the user can authenticate with the username being the
commonName of the certificate. This is for users having control over
the CA issuing the certificates and resembles the way cyrus imap
handles the situation.
Using smtpd_sasl_tls_ccert_username = relay_clientcerts
When a client presents a certificate, where the fingerprint matches in
relay_clientcerts, the lookup value (previously unused) is used to get
the username for sasl. The client can then perform an auth external
with this username successfully. This is a solution for users, which
cannot control the CAs or do not want to trust them or cope with crls,
... It fits in the way postfix currently handles client certificates.
I have to deal with products that do not support SMTP AUTH (big email
security appliance provider .....) but are able to present a TLS
certificate.
On my platform, the use of the smtpd_sender_login_maps and associated
restrictions (reject_sender_login_mismatch) is mandatory to achieve our
goal.
At first, I was thinking about using the lookup value of
relay_clientcerts to map a sasl username.
It is nicely done with your patch with smtpd_sasl_tls_ccert_username =
relay_clientcerts, but I need to go one step further:
I need to completely bypass the sasl provider call and act as if the
mapped user successfully authenticate.
It would be something like "smtpd_sasl_tls_ccert_username =
relay_clientcerts_nosasl" or relay_clientcerts_saslbypass or other (I'm
not good at finding good option naming ...)
The goal is to be as transparent as possible :
- if the client is not found in the relay_clientcerts, act as usual
- if the client is found in the relay_clientcerts, no longer announce
AUTH support, the auth and identity mapping is already done by the
relay_clientcerts map
I think it is not a big code complexity addition on top of your work,
but before going further I would like to request for comments about this.
Viktor, Wietse, would you accept such addition ?
Emmanuel.
