Re: It is possible to match client certificate subject attributes against the SMTP user?

Fri, 03 Feb 2017 10:10:24 -0800 

Thanks, policy services was the answer.

Now I can require for both client certificate authentication and
username/password at the same time and furthermore it allows to register
the allowed client certificate per SASL user. I share my basic setup for
reference:

master.cf:

127.0.0.1:9998  inet  n       n       n       -       0       spawn
  user=someuser argv=/opt/match_cert_to_user_policy_server.php

main.cf:

smtpd_client_restrictions = check_policy_service inet:127.0.0.1:9998 reject
smtpd_recipient_restrictions = permit_sasl_authenticated reject

match_cert_to_user_policy_server.php:

#!/usr/bin/php
<?php

$stdin = fopen('php://stdin', 'r');
$postfixIncomingAttributes = array();
while (true) {
    $line = fgets($stdin);
    if ($line == "\n") {
        break;
    }
    $splittedLine = preg_split("/=/", $line);
    $postfixIncomingAttributes[$splittedLine[0]] = trim($splittedLine[1]);
}
$userCertMappings = ['user1' =>
'2E:DF:45:25:E1:50:60:DB:69:24:C3:80:C0:06:49:FE', "user2" =>
'93:A6:23:A1:96:2E:4B:0D:6B:EE:2E:71:C5:F3:DC:24'];
$saslUsername = $postfixIncomingAttributes['sasl_username'];
$expectedCertFingerprint = isset($userCertMappings[$saslUsername]) ?
$userCertMappings[$saslUsername] : null;
if ($expectedCertFingerprint != null && $expectedCertFingerprint ==
$postfixIncomingAttributes['ccert_fingerprint']) {
    fwrite(STDOUT, "action=ok\n");
} else {
    fwrite(STDOUT, "action=reject\n");
}
fwrite(STDOUT, "\n");

On Thu, Feb 2, 2017 at 3:38 PM, Viktor Dukhovni <[email protected]>
wrote:

>
> > On Feb 2, 2017, at 2:47 PM, Jaime Hablutzel Egoavil <
> [email protected]> wrote:
> >
> >>> When authenticating to Postfix with a client certificate, is it
> currently
> >>> possible to make Postfix match any of the client certificate subject
> >>> attributes (e.g. emailaddress) against the user to be authenticated
> through
> >>> SMTP authentication mechanisms?.
> >>
> >> No.  But policy services can be used to limit particular senders
> >> to particular client certificate fingerprints.
> >
> > You are talking about the "check_ccert_access" directive don't you?
>
> No, I'm talking about policy services:
>
>     http://www.postfix.org/SMTPD_POLICY_README.html
>     http://www.postfix.org/SMTPD_POLICY_README.html#protocol
>
>
> > Could you point me to clearest documentation or example on doing example
> > what you said, i.e. limit particular senders to particular client
> > certificate fingerprints.?
>
> request=smtpd_access_policy
> ...
> [email protected]
> ...
> ccert_subject=solaris9.porcupine.org
> ccert_issuer=Wietse+20Venema
> ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
>
> --
>         Viktor.
>
>


-- 
Jaime Hablutzel -  RPC 994690880

Reply via email to