Le 27/03/2019 à 18:10, Emmanuel Fusté a écrit :
Le 27/03/2019 à 17:14, Viktor Dukhovni a écrit :
On Wed, Mar 27, 2019 at 04:31:33PM +0100, Emmanuel Fusté wrote:
The goal is to be as transparent as possible :
- if the client is not found in the relay_clientcerts, act as usual
- if the client is found in the relay_clientcerts, no longer announce
AUTH support, the auth and identity mapping is already done by the
relay_clientcerts map
I believe you're asking Postfix to (when configured to do that)
simulate "AUTH EXTERNAL" when the client has presented a client
certificate, but proceeds from "EHLO" to "MAIL FROM" with no
intevening explicit "AUTH".
Yes exactly, if a hash to sasl id/username mapping is found in the
relay_clientcerts
The simulated "AUTH EXTERNAL" would never "fail" (5XX), it either
yields an authenticated user or proceeds with the user unauthenticated,
and acts accordingly.
Does that sound right?
Yes, in case of unauthenticated (not present in relay_clientcerts),
the simulated "AUTH EXTERNAL" must ideally not be performed and AUTH
support be announced as usual as this is perhaps a client with proper
AUTH support (otherwise it would be listed with a mapping in
relay_clientcerts).
Ok, patch attached.
Need to be applied on top of Bastian one.
Work well here, thanks to the hard part done by Bastian !
Please comment.
Emmanuel.
--- postfix-3.4.5/src/smtpd/smtpd_sasl_glue.c 2019-04-10 12:26:39.571554576
+0200
+++ postfix-3.4.5-cert-auto/src/smtpd/smtpd_sasl_glue.c 2019-04-10
12:35:26.189153746 +0200
@@ -201,6 +201,7 @@
static const NAME_CODE sasl_tls_user[] = {
SASL_TLS_USER_NAME_COMMON_NAME, SASL_TLS_USER_COMMON_NAME,
SASL_TLS_USER_NAME_RELAY_CLIENTCERTS, SASL_TLS_USER_RELAY_CLIENTCERTS,
+ SASL_TLS_USER_NAME_RELAY_CLIENTCERTS_AUTO,
SASL_TLS_USER_RELAY_CLIENTCERTS_AUTO,
0, SASL_TLS_USER_NONE
};
#endif
@@ -236,6 +237,7 @@
verified_user = TLS_CERT_IS_TRUSTED(state->tls_context) ?
state->tls_context->peer_CN : 0;
break;
case SASL_TLS_USER_RELAY_CLIENTCERTS:
+ case SASL_TLS_USER_RELAY_CLIENTCERTS_AUTO:
if ( TLS_CERT_IS_PRESENT(state->tls_context) ) {
int i;
char *prints[2];
@@ -262,6 +264,15 @@
#endif
#define ADDR_OR_EMPTY(addr, unknown) (strcmp(addr, unknown) ? addr : "")
#define REALM_OR_NULL(realm) (*(realm) ? (realm) : (char *) 0)
+
+ if ((name_code(sasl_tls_user, NAME_CODE_FLAG_NONE,
+ var_smtpd_sasl_tls_ccert_username) ==
SASL_TLS_USER_RELAY_CLIENTCERTS_AUTO)
+ && verified_user) {
+
+ smtpd_sasl_login(state, verified_user, "RELAY_CLIENTCERTS_AUTO");
+ state->sasl_mechanism_list = mystrdup("");
+ return;
+ }
if ((state->sasl_server =
XSASL_SERVER_CREATE(smtpd_sasl_impl, &create_args,
--- postfix-3.4.5/src/smtpd/smtpd_sasl_glue.h 2019-04-10 12:26:39.571554576
+0200
+++ postfix-3.4.5-cert-auto/src/smtpd/smtpd_sasl_glue.h 2019-04-10
11:10:49.054873903 +0200
@@ -26,10 +26,12 @@
/* for SASL external auth */
#define SASL_TLS_USER_NAME_COMMON_NAME "commonName"
#define SASL_TLS_USER_NAME_RELAY_CLIENTCERTS "relay_clientcerts"
+#define SASL_TLS_USER_NAME_RELAY_CLIENTCERTS_AUTO "relay_clientcerts_auto"
#define SASL_TLS_USER_NONE 0
#define SASL_TLS_USER_COMMON_NAME 1
#define SASL_TLS_USER_RELAY_CLIENTCERTS 2
+#define SASL_TLS_USER_RELAY_CLIENTCERTS_AUTO 3
/* LICENSE
/* .ad
