Viktor Dukhovni wrote in
 <20200825161847.gu37...@straasha.imrryr.org>:
 |On Tue, Aug 25, 2020 at 05:56:41PM +0200, Steffen Nurpmeso wrote:
 ....
 |You have still now answered Wietse's question.  If you were to do
 |"EXTERNAL" auth, what determines whether a user presented a valid
 |credential, and what part of the certificate determines the associated
 |login name?  Who is authorised to assert such login names.
 |
 |You need to be careful to not inadvertently authorise every CA on the
 |planet to assert login credentials on your server.  Avoiding this takes
 |some care.

But no, i have done so from the very start?
Or i do not understand what you mean.

Postfix is the one that validates the client certificate the same
way it does now.  And it passes the necessary information to the
SASL auth server so that the announced EXTERNAL SASL mechanism can
actually truly be used, and succeeds.

At the moment, if check_ccert_access is used, and SASL is, too,
two entirely distinct logins are thinkable, no?  Isn't that a much
bigger mess?  Than just allowing EXTERNAL and let the commonName
of the certificate be of any value.  I do not understand.
This is how it is done??

 |As I said before, instead of sending patches, if you want to see
 |new functionality in Postfix, please post a clear set of written
 |requirements and a proposed design (if you want to propose one).

And as i said before, all i could imagine is that the dovecot SASL
auth is improved, so that a fingerprint digest is exchanged, and
an actual fingerprint is passed.

But for postfix this likely does not change the situation even
then, because all the different sorts of client certificate
checkings surely will not go away.
And you do have at least check_ccert_access as well as
permit_tls_clientcerts+relay_clientcerts possibilities, do you?

What is actually wrong?  I do not propose anything, it is you who
have at least two different client certificate mechanisms _plus_
SASL, which is inspected _in addition_ for at least the
check_ccert_access that i have configured correctly?  Correct?
If so, where is the problem of allowing dovecot to use the data of
the verified client certificate?

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Reply via email to