Zitat von Viktor Dukhovni <postfix-us...@dukhovni.org>:
On Apr 19, 2019, at 1:10 PM, Wietse Venema <wie...@porcupine.org> wrote:
Using a name instead of cert fingerprint also requires revocation checking.
Cert revocation is not needed, as long as there is an an explicit
mapping like:
certificate identity -> permit/etc action
certificate identity -> ersatz SASL login name
By removing such a mapping, one can 'revoke' the privileges that
were associated with the certificate.'
My thoughts exactly! We should probably document this:
Note: No revocation checks are performed. To revoke privileges,
remove the table entry matching a given certificate or "subject".
As for "CN" matching, I'm concerned that multiple certificates can have
the same CN, which is not required unique, especially if the certificates
have different "O" or "OU" values. What's more likely to be unique is
an rfc822Name subjectAlternative name, or the full subject DN. More
recently, we also have SmtpUTF8Mailbox:
https://tools.ietf.org/html/rfc8398#section-3
So I think that more thought needs to go into what lookup key or
keys are extract from the candidate certificates. This may need
to be configurable, or we could try:
1. The full subject DN (in RFC2854 form, suitably quoted).
2. Each rfc822Name SAN.
3. Each SmtpUTF8Mailbox (note U-label domain part).
The multiple certificates with one common CN would be a feature in my
case. We need to relay O365 mail and don't want to open the whole IP
space used by O365 which is changing anyway. So the plan was to use
the common CN for the whole outgoing servers.
One example is:
Apr 17 17:03:45 mailin postfix/smtpd[6909]:
mail-ve1eur02lp0207.outbound.protection.outlook.com[2a01:111:f400:7e06::207]:
depth=0 verify=1 subject=/C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=mail.protection.outlook.com
There are many DNS names an the full subject is also different, but to
my knowledge we always have
"CN=mail.protection.outlook.com"
The question is if the CAs check/validate the CN and protect it
against misuse.
Andreas