On Thu, Aug 20, 2020 at 10:59:06AM -0400, Wietse Venema wrote:
> There's a chicken and egg question in there somewhere.
>
> https://wiki1.dovecot.org/Authentication%20Protocol mentions
> two attributes that might be relevant, and that Postfix can send:
>
> secured
> Remote user has secured transport to auth client] (eg. localhost, SSL,
> TLS)
>
> valid-client-cert
> Remote user has presented a valid SSL certificate.
>
> But these are booleans. What protocol attribute would Postfix use
> to pass certificate name information (and which name, as there
> can be any number of them)?
For "EXTERNAL" to be applicable, Postfix would need to have a table
mapping client certificate fingerprints (or X.509 subject DNs, or even
specific SANs from trusted client certificates) to appropriate login
names.
Which really means doing "EXTERNAL" directly in Postfix. There isn't
a good way of delegating EXTERNAL to another entity (i.e. Dovecot).
--
Viktor.
