How to authenticate through a X509/pkcs12 client certificate (SSLv3/ [RFC 5246 ?] authentication only)?
Dan White
dwhite at olp.net
Thu Sep 2 15:44:22 EDT 2010
On 02/09/10 21:11 +0200, Thomas Harding wrote:
>However, I use my own created CA chain (with intermediate one)
>to authenticate users in Postfix, not to account, which would
>need the same process, and both postfix and cyrus ask for a
>certificate issued from this secondary authority.
>So, my postfix smtp_sender_restrictions rules allows mails from
>certificates issued by my authority (permit_tls_all_clientcerts),
>these users are logged as "trusted", while certificates from other
>authorities are logged as anonymous.
>
>At same time, I have Sep 2 17:27:23 smtp2 cyrus/imaps[27137]: login:
>[192.168.0.254] tom plain+TLS User logged in
>
>And I run imaps (tcp 993) only.
>
>So, how to use "TLS" authentication without plain/other authentication
>mechanisms ?
>
>* I wonder is something is planned on cyrus SASL to allow accounting
>through X509 subject DN, with selected CA authorities
The cyrus sasl library facilitates the use of authentication of a TLS
session via the EXTERNAL mechanism. However, such support must be
implemented by the server in question (such as Postfix).
Servers typically implement support by providing a STARTTLS command, and
using some information contained in the certificate to derive a username.
How the server derives the username is up to the server.
For instance, the imapd server does this in its starttls implementation:
/* From imap/tls.c */
*authid = peer_CN[0] ? xstrdup(peer_CN) : NULL;
/* from imap/imapd.c */
result = sasl_setprop(imapd_saslconn, SASL_AUTH_EXTERNAL, auth_id);
Which presumably means that whatever is in the common name of the
certificate will become the authenticated identity.
I believe sendmail, cyrus imap, and openldap support such authentication. I
don't believe postfix does. I cannot find any mention of SASL_AUTH_EXTERNAL
in its source.
--
Dan White
More information about the Cyrus-sasl
mailing list