This patch allows this variable (I switched it from a BOOL to an int to
make it behave like $host_lookup_failed..I think--it's late).
$tls_certificate_verified: This variable contains ``1'' if the SMTP
connection is encrypted and the client provides a certificate which is
successfully verified. Otherwise the value of the variable is ``0''.
Haven't tested it the other way around (ie verifying server certs).
Example usage (AUTH EXTERNAL):
external:
driver = plaintext
public_name = EXTERNAL
server_condition = ${if eq{$tls_certificate_verified}{1}{yes}{no}}
server_set_id = ${if match{$tls_peerdn}{\N/CN=(.+)/\N}{$1}fail}
I really wanted the regex [^/]CN=(.+)[/$] but my brain is too scrambled to
escape it properly. Hints appreciated.. ..alternatively the $tls_peercn
that SRH posted a patch for..
My patch assumes you're in src/ (sorry).
--- acl.c~ Mon Jul 22 09:59:47 2002
+++ acl.c Wed Sep 11 23:44:42 2002
@@ -436,7 +436,7 @@
mandatory verification, the connection doesn't last this long.) */
if (strcmpic(ss, US"certificate") == 0)
- return tls_certificate_verified? OK : FAIL;
+ return (tls_certificate_verified == 1)? OK : FAIL;
/* We can test the result of optional HELO verification */
--- expand.c~ Mon Jul 22 09:59:48 2002
+++ expand.c Wed Sep 11 23:43:08 2002
@@ -246,6 +246,7 @@
{ "spool_directory", vtype_stringptr, &spool_directory },
{ "thisaddress", vtype_stringptr, &filter_thisaddress },
#ifdef SUPPORT_TLS
+ { "tls_certificate_verified",vtype_int, &tls_certificate_verified },
{ "tls_cipher", vtype_stringptr, &tls_cipher },
{ "tls_peerdn", vtype_stringptr, &tls_peerdn },
#endif
--- globals.c~ Mon Jul 22 09:59:48 2002
+++ globals.c Wed Sep 11 23:46:18 2002
@@ -83,7 +83,7 @@
them. */
BOOL tls_active = -1;
-BOOL tls_certificate_verified = FALSE;
+int tls_certificate_verified = 0;
uschar *tls_cipher = NULL;
#ifdef SUPPORT_TLS
--- globals.h~ Mon Jul 22 09:59:49 2002
+++ globals.h Wed Sep 11 23:47:12 2002
@@ -48,7 +48,7 @@
them. */
extern int tls_active; /* fd/socket when in a TLS session */
-extern BOOL tls_certificate_verified; /* Client certificate verified */
+extern int tls_certificate_verified; /* Client certificate verified */
extern uschar *tls_cipher; /* Cipher used */
#ifdef SUPPORT_TLS
--- tls.c~ Mon Jul 22 09:59:51 2002
+++ tls.c Wed Sep 11 23:47:49 2002
@@ -196,7 +196,7 @@
tls_peerdn = txt;
}
-if (!verify_callback_called) tls_certificate_verified = TRUE;
+if (!verify_callback_called) tls_certificate_verified = 1;
verify_callback_called = TRUE;
return 1; /* accept */
