Le 27/03/2019 à 17:14, Viktor Dukhovni a écrit :
On Wed, Mar 27, 2019 at 04:31:33PM +0100, Emmanuel Fusté wrote:
The goal is to be as transparent as possible :
- if the client is not found in the relay_clientcerts, act as usual
- if the client is found in the relay_clientcerts, no longer announce
AUTH support, the auth and identity mapping is already done by the
relay_clientcerts map
I believe you're asking Postfix to (when configured to do that)
simulate "AUTH EXTERNAL" when the client has presented a client
certificate, but proceeds from "EHLO" to "MAIL FROM" with no
intevening explicit "AUTH".
Yes exactly, if a hash to sasl id/username mapping is found in the
relay_clientcerts
The simulated "AUTH EXTERNAL" would never "fail" (5XX), it either
yields an authenticated user or proceeds with the user unauthenticated,
and acts accordingly.
Does that sound right?
Yes, in case of unauthenticated (not present in relay_clientcerts), the
simulated "AUTH EXTERNAL" must ideally not be performed and AUTH support
be announced as usual as this is perhaps a client with proper AUTH
support (otherwise it would be listed with a mapping in relay_clientcerts).
But I could live with an unconditional simulated "AUTH EXTERNAL" mode
as clients not normally present a certificate.
I did not already dig in the code to see if it is doable in a "clean"
manner or if the unconditional simulated "AUTH EXTERNAL" mode is the
only way to go without too intrusive changes.
Emmanuel.
