Access based on client cert attributes?

• Previous message: Daniel Gomes: "Postfix Virtual Alias with LDAP&STARTTLS"
• Next in thread: Wietse Venema: "Re: Access based on client cert attributes?"
• Maybe reply: Wietse Venema: "Re: Access based on client cert attributes?"
• Maybe reply: Victor Duchovni: "Re: Access based on client cert attributes?"
• Maybe reply: Victor Duchovni: "Re: Access based on client cert attributes?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi guys

At the moment we use SASL authentication to allow our users to
send mail through our mailer (Postfix 2.5). I would like to extend this
to using client certificates for authentication as well.

Our users have personal certificates that are signed by a the "TERENA
Personal CA". Due to the nature of this CA, it is guaranteed that all
the attributes in the certificate are correct (see
https://www.terena.org/activities/tcs/ for more information).

So certificates with O=OrganisationX are therefore guaranteed to really
be from Organisation X. I would like to use this to give relay access to
my users.

Regarding access control and client certs I can find:

* allow all certs based on the issuer (smtpd_tls_CAfile). This is not an
option because the CA also signs ccerts from other institutions.
* allow certs based on their fingerprint (check_ccert_access). This is
not scalable.

Postfix has already access to at least the Common Name and Issuer
attributes of the ccert, as can be seen by these headers:

Received: from [192.168.2.199] (a213088.upc-a.chello.nl [62.163.213.88])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (Client CN "Dick Visser", Issuer "TERENA Personal CA" (verified OK))
    (Authenticated sender: )
     by erasmus.terena.org (Postfix) with ESMTPSA id 6466087BC3
     for <>; Mon, 22 Mar 2010 21:33:38 +0100 (CET)

Is there a way to restrict relaying access only to clients showing a
certificate that has:

* issuer "TERENA Personal CA"
* O=TERENA
* C=NL

?

I guess what I am looking for is a new restriction called something like
"check_ccert_attr", that would use user defined attributes to take
decisions. That would be really scalable for our situation.

Any ideas how to implement this in other ways?
I looked into policy daemon options but Postfix does not pass any
certificate information other than ccert_subject, ccert_issuer, and
ccert_fingerprint, which is not enough for what we want.

Thanks!

-- 
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
T +31 20 530 44 88 F +31 20 530 44 99
 | www.terena.org

• application/pkcs7-signature attachment: S/MIME Cryptographic Signature

• Previous message: Daniel Gomes: "Postfix Virtual Alias with LDAP&STARTTLS"
• Next in thread: Wietse Venema: "Re: Access based on client cert attributes?"
• Maybe reply: Wietse Venema: "Re: Access based on client cert attributes?"
• Maybe reply: Victor Duchovni: "Re: Access based on client cert attributes?"
• Maybe reply: Victor Duchovni: "Re: Access based on client cert attributes?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]