On Thu, Feb 25, 2010 at 12:48 AM, Victor Duchovni <victor.ducho...@morganstanley.com> wrote:
> Postfix does not implement the "external" SASL mechanism for > authenticating users via TLS client certs. So it sends user/password to dovecot socket and get yes/no answer? > > TLS is hop-by-hop, not end to end. With TLS the client authenticates I would call a server dedicated only to my own users specifically for relay at a submission port "end to end." > Such glue would be fragile in any case, as one needs to be extremely > careful which CAs one is willing to trust in this context, and most > users would get this wrong and be open relays for anyone who can > get a client cert from a public CA. I do not recommend this feature. My dovecot server trusts certs signed by my own private CA. With postfix I would think it would be a matter of maintaining two separate lists of CA. This can be done with a master.cf option for, say submission server, which overrides the ca list of public mx server; I have not tested this setup. If I were to maintain two separate servers one for submission and one for public mx this would be even less susceptible to errors. Come to think of it, there are two simple features I am asking: "require client cert" and pass the CN from cert to sasl server. After all postfix knows how to ask cert from client and knows how to parse CN from cert; I can see it write CN to log. Of course these two features should never be used in a public mx server. There is also the difficult-to-implement feature of making sasl work with postfix if dovecot has "require client cert" turned on in which case the dovecot socket may be completely and not mentioned in dovecot documentation. BTW I asked a similar question to dovecot mailing list and my post disappeared into a black hole. > > If you want a decent SASL mechanism that is better than passwords, > use GSSAPI. Also, more MUAs support GSSAPI auth than client TLS auth. I didn't know about GSSAPI but will look further into it. Thanks for your explanation. mr.wu > -- > Viktor. > > P.S. Morgan Stanley is looking for a New York City based, Senior Unix > system/email administrator to architect and sustain our perimeter email > environment. If you are interested, please drop me a note. >
