Loading ...
Sorry, an error occurred while loading the content.

Re: client certificate handling with TLS + sasl

Expand Messages
  • Victor Duchovni
    ... Postfix copies SASL protocol requests between the SMTP client and the SASL library. Postfix does not know whether the packets contain passwords for a PLAIN
    Message 1 of 4 , Feb 25 11:21 AM
    • 0 Attachment
      On Thu, Feb 25, 2010 at 01:42:27PM -0500, zhong ming wu wrote:

      > > Postfix does not implement the "external" SASL mechanism for
      > > authenticating users via TLS client certs.
      >
      > So it sends user/password to dovecot socket and get yes/no answer?

      Postfix copies SASL protocol requests between the SMTP client and the
      SASL library. Postfix does not know whether the packets contain passwords
      for a PLAIN mechanism or some complex handshake for CRAM-MD5 or GSSAPI.

      Regardless, Postfix has no support for "external" AUTH whether via TLS
      or by other means.

      > > TLS is hop-by-hop, not end to end. With TLS the client authenticates
      >
      > I would call a server dedicated only to my own users specifically for
      > relay at a submission port "end to end."

      I was explaining that the TLS connection terminates at the Postfix SMTP
      server, and Dovecot does not see the TLS exchange, it is not end-to-end
      from the the SMTP client to Dovecot. Disputing the explanation is unwise.
      If it is unclear, feel free to ask further questions.

      > > Such glue would be fragile in any case, as one needs to be extremely
      > > careful which CAs one is willing to trust in this context, and most
      > > users would get this wrong and be open relays for anyone who can
      > > get a client cert from a public CA. I do not recommend this feature.
      >
      > My dovecot server trusts certs signed by my own private CA. With
      > postfix I would think
      > it would be a matter of maintaining two separate lists of CA.

      I stand by my point, this would be a high-risk feature that a lot
      of users would misconfigure.

      Have you considered client cert fingerprints and check_ccert_access?

      --
      Viktor.

      P.S. Morgan Stanley is looking for a New York City based, Senior Unix
      system/email administrator to architect and sustain our perimeter email
      environment. If you are interested, please drop me a note.
    Your message has been successfully submitted and would be delivered to recipients shortly.