Re: TLS client certificates and auth external

Thu, 20 Aug 2020 16:35:21 -0700 

Viktor Dukhovni wrote in
 <20200820163012.gl86...@straasha.imrryr.org>:
 |On Thu, Aug 20, 2020 at 10:59:06AM -0400, Wietse Venema wrote:
 |
 |> There's a chicken and egg question in there somewhere.
 |> 
 |> https://wiki1.dovecot.org/Authentication%20Protocol mentions
 |> two attributes that might be relevant, and that Postfix can send:
 |> 
 |> secured
 |>     Remote user has secured transport to auth client] (eg. localhost, \
 |>     SSL, TLS)
 |> 
 |> valid-client-cert
 |>     Remote user has presented a valid SSL certificate.
 |> 
 |> But these are booleans. What protocol attribute would Postfix use
 |> to pass certificate name information (and which name, as there
 |> can be any number of them)?
 |
 |For "EXTERNAL" to be applicable, Postfix would need to have a table
 |mapping client certificate fingerprints (or X.509 subject DNs, or even
 |specific SANs from trusted client certificates) to appropriate login
 |names.

Or just leave it.  Even if there is a mismatch in the name of the
certificate and the name passed in the immediate response.  That
is totally ugly.  I think the real power of EXTERNAL would come
into play if the client certificate would be verified by the
dovecot auth server, too.  I.e., if all the details of user
authentication would be handled there.

 |Which really means doing "EXTERNAL" directly in Postfix.  There isn't
 |a good way of delegating EXTERNAL to another entity (i.e. Dovecot).

What i still do not understand is why in things like

  smtpd_client_restrictions = check_ccert_access
      hash:/etc/postfix/relay_clientcert,
      permit_tls_clientcerts,
      permit_sasl_authenticated,
      reject

the permit_tls_clientcerts does not cause the AUTH to be
suppressed.  I think there should at least be an option to allow
skipping AUTH via SASL if the client certificate is correct.
(I would not expect that the postfix side handling of client
certificates vanishes even if SASL EXTERNAL becomes extended as
envisioned in the other mail.)

Good night.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Reply via email to