Zitat von Emmanuel Fusté :
Le 27/03/2019 à 18:10, Emmanuel Fusté a écrit :
Le 27/03/2019 à 17:14, Viktor Dukhovni a écrit :
On Wed, Mar 27, 2019 at 04:31:33PM +0100, Emmanuel Fusté wrote:
The goal is to be as transparent as possible :
- if the client is not found in the relay_clientcerts, act as usual
- if the client is found in the relay_clientcerts, no longer announce
AUTH support, the auth and identity mapping is already done by the
relay_clientcerts map
I believe you're asking Postfix to (when configured to do that)
simulate "AUTH EXTERNAL" when the client has presented a client
certificate, but proceeds from "EHLO" to "MAIL FROM" with no
intevening explicit "AUTH".
Yes exactly, if a hash to sasl id/username mapping is found in the
relay_clientcerts
The simulated "AUTH EXTERNAL" would never "fail" (5XX), it either
yields an authenticated user or proceeds with the user unauthenticated,
and acts accordingly.
Does that sound right?
Yes, in case of unauthenticated (not present in relay_clientcerts),
the simulated "AUTH EXTERNAL" must ideally not be performed and
AUTH support be announced as usual as this is perhaps a client with
proper AUTH support (otherwise it would be listed with a mapping in
relay_clientcerts).
Ok, patch attached.
Need to be applied on top of Bastian one.
Work well here, thanks to the hard part done by Bastian !
Please comment.
Emmanuel.
This sounds like the feature we will need. I doubt the client would be
able to do real AUTH, but we have to trust/relay based on the CN of a
validated certificate. Is there any progress merging this in the 3.5
line or do i have to poke around with patches some longer?
Thanks
Andreas
