How to authenticate through a X509/pkcs12 client certificate (SSLv3/ [RFC 5246 ?] authentication only)?

Dieter Kluenter dieter at dkluenter.de
Thu Sep 2 15:49:28 EDT 2010


Thomas Harding <tom at thomas-harding.name> writes:

> Hello,
> In fact the CMU manual have "todo" in this section, and I didn't find
> anything in Google about that :
>
> * I would avoid user/password authentication and use only client
> certificates to authenticate then login imap users.
>
> My searches didn't succeed on the ternet, however pkcs12 files
> and physical security devices (credit-like cards, rfid...) seems
> better (no password exchange even through TLS but a challenge
> response to resent).
>
> However, I use my own created CA chain (with intermediate one)
> to authenticate users in Postfix, not to account, which would
> need the same process, and both postfix and cyrus ask for a
> certificate issued from this secondary authority.
> So, my postfix smtp_sender_restrictions rules allows mails from
> certificates issued by my authority (permit_tls_all_clientcerts),
> these users are logged as "trusted", while certificates from other
> authorities are logged as anonymous.
>
> At same time, I have Sep  2 17:27:23 smtp2 cyrus/imaps[27137]: login:
> [192.168.0.254] tom plain+TLS User logged in
>
> And I run imaps (tcp 993) only.
>
> So, how to use "TLS" authentication without plain/other authentication
> mechanisms ?
>
>
> * I wonder is something is planned on cyrus SASL to allow accounting
> through X509 subject DN, with selected CA authorities
>
>
> * I wonder if possible by configuration to allow only one or a set
> of root or intermediate CAs from "the CA wallet" to "proof" only their
> own users to log in, while I use a separate CA bundle into Postfix
> to do that, but would prefer a sasl dedicated mechanism to avoid
> double-check.
>
> These two points will allow a single or multiple points, the CAs, to
> give user accounts without intervention on server (with an
> autocreatemailbox at first connexion, but not at first received mail)
>
> Is something planned or done on any of these points?

You may use OpenLDAP as identity provider, ldapdb as auxillary
property plugin and SASL Mechanism EXTERNAL.

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: 7770535 at sipgate.de 
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6


More information about the Cyrus-sasl mailing list