Viktor Dukhovni wrote in <20200820163012.gl86...@straasha.imrryr.org>: |On Thu, Aug 20, 2020 at 10:59:06AM -0400, Wietse Venema wrote: | |> There's a chicken and egg question in there somewhere. |> |> https://wiki1.dovecot.org/Authentication%20Protocol mentions |> two attributes that might be relevant, and that Postfix can send: |> |> secured |> Remote user has secured transport to auth client] (eg. localhost, \ |> SSL, TLS) |> |> valid-client-cert |> Remote user has presented a valid SSL certificate. |> |> But these are booleans. What protocol attribute would Postfix use |> to pass certificate name information (and which name, as there |> can be any number of them)? | |For "EXTERNAL" to be applicable, Postfix would need to have a table |mapping client certificate fingerprints (or X.509 subject DNs, or even |specific SANs from trusted client certificates) to appropriate login |names.
Or just leave it. Even if there is a mismatch in the name of the certificate and the name passed in the immediate response. That is totally ugly. I think the real power of EXTERNAL would come into play if the client certificate would be verified by the dovecot auth server, too. I.e., if all the details of user authentication would be handled there. |Which really means doing "EXTERNAL" directly in Postfix. There isn't |a good way of delegating EXTERNAL to another entity (i.e. Dovecot). What i still do not understand is why in things like smtpd_client_restrictions = check_ccert_access hash:/etc/postfix/relay_clientcert, permit_tls_clientcerts, permit_sasl_authenticated, reject the permit_tls_clientcerts does not cause the AUTH to be suppressed. I think there should at least be an option to allow skipping AUTH via SASL if the client certificate is correct. (I would not expect that the postfix side handling of client certificates vanishes even if SASL EXTERNAL becomes extended as envisioned in the other mail.) Good night. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)