Wietse Venema:
> Continuing the discussion of a strawman user interface, I see some
> opportunities to generalize this and to make some improvements
> elsewhere in Postfix.
>
> We start with Postfix access control based on client certificate
> feartures:
>
> smtpd_mumble_restrictions =
> ...
> check_tls_access {
> maptype:mapname,
> { search = rfc822name, subject_dn, smtputf8mailbox, ... } }
> ...
>
> where the 'search' attribute specifies a list with one or more of
> rfc822name, subject_dn, smtputf8mailbox, key_fingerprint, and so on.
After a week of testing, Postfix snapshot 20190518 implements support
for:
smtpd_mumble_restrictions =
...
check_ccert_access {
maptype:mapname, { search_order = cert_fingerprint,
pubkey_fingerprint, subject, issuer }
}
...
Where subject (or issuer) will search maptype:mapname for a match
with the client certificate's subject (or issuer) DN. The commas
are optional.
Search_order support is planned for rfc822name and smtputf8mailbox.
Those require new code to extract and sanity-check the corresponding
info from the client certificate.
Wietse
