Re: TLS client certificates and auth external

Sun, 28 Apr 2019 12:53:22 -0700 

Continuing the discussion of a strawman user interface, I see some
opportunities to generalize this and to make some improvements
elsewhere in Postfix.

We start with Postfix access control based on client certificate
feartures: 

smtpd_mumble_restrictions =
    ...
    check_tls_access {
        maptype:mapname, 
        { search = rfc822name, subject_dn, smtputf8mailbox, ... } }
    ...

where the 'search' attribute specifies a list with one or more of
rfc822name, subject_dn, smtputf8mailbox, key_fingerprint, and so on.

This requires new infrastructure that converts the 'search' list
into a list of named constants (internally, a vector of NAME_CODE
results). check_tls_access is then implemented as a loop over the
internal form of the search list.

So far, so good.

Would this syntax also be useful for other Postfix features? It
would be good if it does. Here's a strawman inside a strawman.

Once the above is implemented, the same approach could be used to
improve other parts of Postfix by making existing hard-coded behavior
configurable, for example how check_client_access looks up subnet
and partial address information, or how virtual_alias_maps looks
up full and partial address forms. The examples below show the
lookup order that is currently hard-coded.

    smtpd_mumble_restrictions =
        ...
        check_client_access {
            maptype:mapname,
            # instead of parent, maybe use dot-parent or no parent
            { search = domain, parent, address, subnet }
        }
        ...

    virtual_alias_maps = {
        hash:/etc/postfix/virtual,
        { search = full, full-noext, localpart-if-local, at-domain }
    } {
        other table ...
    }

Ditto for canonical_maps and transport_maps.

This would be a compatibility break, because with the above, all
virtual_alias_maps searches are done on the first table before
trying the next table. One could argue that current behavior is
non-intuitive.

Another possible benefit: this syntax may be useful to support
substring queries with 'postmap -q'.
 
To make the main.cf configuration easier to use, the config file
parser could be modified to process '}' at the start of a line as
the continuation of the preceding line. This would be a simple change.

        Wietse

Reply via email to