Access based on client cert attributes?

From: Dick Visser (no email)
Date: Tue Mar 23 2010 - 09:21:58 EDT

  • Next message: Alain NAKACHE: "qmgr dsn=5.1.3, status=bounced (bad address syntax) for a RFC 822 compliant email address"

    Hi guys

    At the moment we use SASL authentication to allow our users to
    send mail through our mailer (Postfix 2.5). I would like to extend this
    to using client certificates for authentication as well.

    Our users have personal certificates that are signed by a the "TERENA
    Personal CA". Due to the nature of this CA, it is guaranteed that all
    the attributes in the certificate are correct (see
    https://www.terena.org/activities/tcs/ for more information).

    So certificates with O=OrganisationX are therefore guaranteed to really
    be from Organisation X. I would like to use this to give relay access to
    my users.

    Regarding access control and client certs I can find:

    * allow all certs based on the issuer (smtpd_tls_CAfile). This is not an
    option because the CA also signs ccerts from other institutions.
    * allow certs based on their fingerprint (check_ccert_access). This is
    not scalable.

    Postfix has already access to at least the Common Name and Issuer
    attributes of the ccert, as can be seen by these headers:

    Received: from [192.168.2.199] (a213088.upc-a.chello.nl [62.163.213.88])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (Client CN "Dick Visser", Issuer "TERENA Personal CA" (verified OK))
        (Authenticated sender: )
         by erasmus.terena.org (Postfix) with ESMTPSA id 6466087BC3
         for <>; Mon, 22 Mar 2010 21:33:38 +0100 (CET)

    Is there a way to restrict relaying access only to clients showing a
    certificate that has:

    * issuer "TERENA Personal CA"
    * O=TERENA
    * C=NL

    ?

    I guess what I am looking for is a new restriction called something like
    "check_ccert_attr", that would use user defined attributes to take
    decisions. That would be really scalable for our situation.

    Any ideas how to implement this in other ways?
    I looked into policy daemon options but Postfix does not pass any
    certificate information other than ccert_subject, ccert_issuer, and
    ccert_fingerprint, which is not enough for what we want.

    Thanks!

    -- 
    Dick Visser
    System & Networking Engineer
    TERENA Secretariat
    Singel 468 D, 1017 AW Amsterdam
    The Netherlands
    T +31 20 530 44 88 F +31 20 530 44 99
     | www.terena.org
    
    



  • Next message: Alain NAKACHE: "qmgr dsn=5.1.3, status=bounced (bad address syntax) for a RFC 822 compliant email address"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD