Re: TLS client certificates and auth external

Thu, 18 Apr 2019 05:43:10 -0700 


Zitat von Emmanuel Fusté <emmanuel.fu...@external.thalesgroup.com>:

You need the relay_clientcerts map with relay_clientcerts_auto mode.

Put the fingerprint or pkey_fingerprint and the mapped SASL identity  
in the file and it will work

For example:
43:B6:FE:07:BB:2E:BF:86:8A:4D:2A:DD:78:07:09:C6    xxx.kwsoft.de




Will try that, but for our final use case we have no way fix the  
fingerprint of the remote client, it can change any time. The only  
thing which should stay is the CN.



smtpd_tls_loglevel = 2
smtpd_tls_ask_ccert = yes
smtpd_sasl_auth_enable = yes

smtpd_use_tls=yes
smtpd_tls_CApath = /etc/ssl/certs

But this leads to

Apr 18 11:46:05 linux-test postfix/smtpd[4257]:  
kw-tools.hq.kwsoft.de[10.1.7.15]: subject_CN=xxx.kwsoft.de,  
issuer=SwissSign Server Silver CA 2014 - G22,  
fingerprint=B8:D9:ED:1F:33:FE:DB:36:11:A6:D9:3F:BA:B5:1D:44,  
pkey_fingerprint=43:B6:FE:07:BB:2E:BF:86:8A:4D:2A:DD:78:07:09:C6
Apr 18 11:46:05 linux-test postfix/smtpd[4257]: Trusted TLS  
connection established from kw-tools.hq.kwsoft.de[10.1.7.15]:  
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 18 11:46:05 linux-test postfix/smtpd[4257]: NOQUEUE: reject:  
RCPT from kw-tools.hq.kwsoft.de[10.1.7.15]: 454 4.7.1  
<xx...@kwsoft.eu>: Relay access denied; from=<xx...@kwsoft.de>  
to=<xx...@kwsoft.eu> proto=ESMTP helo=<kw-tools>
Apr 18 11:46:05 linux-test postfix/smtpd[4257]: disconnect from  
kw-tools.hq.kwsoft.de[10.1.7.15] ehlo=2 starttls=1 mail=1 rcpt=0/1  
data=0/1 rset=1 quit=1 commands=6/8



What i actually need is relaying based on validated certificate CN  
without forcing the client to use some form of authentication, so  
this would basically mean relay_clientcerts with CN lookup key or a  
relay_clientcerts_auto_cn to always skip AUTH and use the CN as  
username i guess.



Yes, if you don't want fingerprint to something maps, you need a  
"commonName_auto" mode which rely on SASL external provider to  
validate the user (provide the map of valid users) but auto triggered.
For that, you need to invoke SASL external auth directly in the  
smtpd sasl glue code as it is in the processing of the AUTH verb (a  
simplified single step version).
Will look at it if I have time, but I prefer to wait Viktor/Wietse  
comments before.


Emmanuel.


Thanks, so i will wait for comment if we can include our special case also.

Andreas


























					Reply via email to