From: Dick Visser (no email)
Date: Tue Mar 23 2010 - 09:21:58 EDT
At the moment we use SASL authentication to allow our users to
send mail through our mailer (Postfix 2.5). I would like to extend this
to using client certificates for authentication as well.
Our users have personal certificates that are signed by a the "TERENA
Personal CA". Due to the nature of this CA, it is guaranteed that all
the attributes in the certificate are correct (see
https://www.terena.org/activities/tcs/ for more information).
So certificates with O=OrganisationX are therefore guaranteed to really
be from Organisation X. I would like to use this to give relay access to
Regarding access control and client certs I can find:
* allow all certs based on the issuer (smtpd_tls_CAfile). This is not an
option because the CA also signs ccerts from other institutions.
* allow certs based on their fingerprint (check_ccert_access). This is
Postfix has already access to at least the Common Name and Issuer
attributes of the ccert, as can be seen by these headers:
Received: from [192.168.2.199] (a213088.upc-a.chello.nl [18.104.22.168])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Dick Visser", Issuer "TERENA Personal CA" (verified OK))
(Authenticated sender: )
by erasmus.terena.org (Postfix) with ESMTPSA id 6466087BC3
for <>; Mon, 22 Mar 2010 21:33:38 +0100 (CET)
Is there a way to restrict relaying access only to clients showing a
certificate that has:
* issuer "TERENA Personal CA"
I guess what I am looking for is a new restriction called something like
"check_ccert_attr", that would use user defined attributes to take
decisions. That would be really scalable for our situation.
Any ideas how to implement this in other ways?
I looked into policy daemon options but Postfix does not pass any
certificate information other than ccert_subject, ccert_issuer, and
ccert_fingerprint, which is not enough for what we want.
-- Dick Visser System & Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands T +31 20 530 44 88 F +31 20 530 44 99 | www.terena.org