How to authenticate through a X509/pkcs12 client certificate (SSLv3/ [RFC 5246 ?] authentication only)?

Thomas Harding tom at thomas-harding.name
Thu Sep 2 15:11:37 EDT 2010


Hello,
In fact the CMU manual have "todo" in this section, and I didn't find
anything in Google about that :

* I would avoid user/password authentication and use only client 
certificates to authenticate then login imap users.

My searches didn't succeed on the ternet, however pkcs12 files
and physical security devices (credit-like cards, rfid...) seems
better (no password exchange even through TLS but a challenge
response to resent).

However, I use my own created CA chain (with intermediate one)
to authenticate users in Postfix, not to account, which would
need the same process, and both postfix and cyrus ask for a
certificate issued from this secondary authority.
So, my postfix smtp_sender_restrictions rules allows mails from
certificates issued by my authority (permit_tls_all_clientcerts),
these users are logged as "trusted", while certificates from other
authorities are logged as anonymous.

At same time, I have Sep  2 17:27:23 smtp2 cyrus/imaps[27137]: login: 
[192.168.0.254] tom plain+TLS User logged in

And I run imaps (tcp 993) only.

So, how to use "TLS" authentication without plain/other authentication
mechanisms ?


* I wonder is something is planned on cyrus SASL to allow accounting
through X509 subject DN, with selected CA authorities


* I wonder if possible by configuration to allow only one or a set
of root or intermediate CAs from "the CA wallet" to "proof" only their
own users to log in, while I use a separate CA bundle into Postfix
to do that, but would prefer a sasl dedicated mechanism to avoid
double-check.

These two points will allow a single or multiple points, the CAs, to
give user accounts without intervention on server (with an
autocreatemailbox at first connexion, but not at first received mail)

Is something planned or done on any of these points?

-- 
Thomas Harding,
http://tsfh.org


More information about the Cyrus-sasl mailing list