On Sat, May 18, 2019 at 11:01:28AM -0400, Wietse Venema wrote:
> After a week of testing, Postfix snapshot 20190518 implements support
> for:
>
> smtpd_mumble_restrictions =
> ...
> check_ccert_access {
> maptype:mapname, { search_order = cert_fingerprint,
> pubkey_fingerprint, subject, issuer }
> }
> ...
>
> Where subject (or issuer) will search maptype:mapname for a match
> with the client certificate's subject (or issuer) DN. The commas
> are optional.
Presumably, the pubkey_fingerprint and cert_fingerprint are available
unconditionally, while the "subject" and "issuer" DNs are are only
queried when the certificate is "trusted".
> Search_order support is planned for rfc822name and smtputf8mailbox.
> Those require new code to extract and sanity-check the corresponding
> info from the client certificate.
And likewise for these.
--
Viktor.
