Viktor Dukhovni wrote in <20200825161847.gu37...@straasha.imrryr.org>: |On Tue, Aug 25, 2020 at 05:56:41PM +0200, Steffen Nurpmeso wrote: .... |You have still now answered Wietse's question. If you were to do |"EXTERNAL" auth, what determines whether a user presented a valid |credential, and what part of the certificate determines the associated |login name? Who is authorised to assert such login names. | |You need to be careful to not inadvertently authorise every CA on the |planet to assert login credentials on your server. Avoiding this takes |some care.
But no, i have done so from the very start? Or i do not understand what you mean. Postfix is the one that validates the client certificate the same way it does now. And it passes the necessary information to the SASL auth server so that the announced EXTERNAL SASL mechanism can actually truly be used, and succeeds. At the moment, if check_ccert_access is used, and SASL is, too, two entirely distinct logins are thinkable, no? Isn't that a much bigger mess? Than just allowing EXTERNAL and let the commonName of the certificate be of any value. I do not understand. This is how it is done?? |As I said before, instead of sending patches, if you want to see |new functionality in Postfix, please post a clear set of written |requirements and a proposed design (if you want to propose one). And as i said before, all i could imagine is that the dovecot SASL auth is improved, so that a fingerprint digest is exchanged, and an actual fingerprint is passed. But for postfix this likely does not change the situation even then, because all the different sorts of client certificate checkings surely will not go away. And you do have at least check_ccert_access as well as permit_tls_clientcerts+relay_clientcerts possibilities, do you? What is actually wrong? I do not propose anything, it is you who have at least two different client certificate mechanisms _plus_ SASL, which is inspected _in addition_ for at least the check_ccert_access that i have configured correctly? Correct? If so, where is the problem of allowing dovecot to use the data of the verified client certificate? --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
