Re: TLS client certificates and auth external

Tue, 23 Apr 2019 01:06:44 -0700 


Zitat von Viktor Dukhovni <postfix-us...@dukhovni.org>:


On Apr 19, 2019, at 1:10 PM, Wietse Venema <wie...@porcupine.org> wrote:


Using a name instead of cert fingerprint also requires revocation checking.


Cert revocation is not needed, as long as there is an an explicit
mapping like:

   certificate identity -> permit/etc action
   certificate identity -> ersatz SASL login name

By removing such a mapping, one can 'revoke' the privileges that
were associated with the certificate.'


My thoughts exactly!  We should probably document this:

        Note: No revocation checks are performed.  To revoke privileges,
        remove the table entry matching a given certificate or "subject".

As for "CN" matching, I'm concerned that multiple certificates can have
the same CN, which is not required unique, especially if the certificates
have different "O" or "OU" values.  What's more likely to be unique is
an rfc822Name subjectAlternative name, or the full subject DN.  More
recently, we also have SmtpUTF8Mailbox:

        https://tools.ietf.org/html/rfc8398#section-3

So I think that more thought needs to go into what lookup key or
keys are extract from the candidate certificates.  This may need
to be configurable, or we could try:

        1. The full subject DN (in RFC2854 form, suitably quoted).
        2. Each rfc822Name SAN.
        3. Each SmtpUTF8Mailbox (note U-label domain part).



The multiple certificates with one common CN would be a feature in my  
case. We need to relay O365 mail and don't want to open the whole IP  
space used by O365 which is changing anyway. So the plan was to use  
the common CN for the whole outgoing servers.


One example is:


Apr 17 17:03:45 mailin postfix/smtpd[6909]:  
mail-ve1eur02lp0207.outbound.protection.outlook.com[2a01:111:f400:7e06::207]:  
depth=0 verify=1 subject=/C=US/ST=Washington/L=Redmond/O=Microsoft  
Corporation/CN=mail.protection.outlook.com



There are many DNS names an the full subject is also different, but to  
my knowledge we always have

"CN=mail.protection.outlook.com"


The question is if the CAs check/validate the CN and protect it  
against misuse.


Andreas


























					Reply via email to