On Wed, Jan 08, 2003 at 05:52:29PM +0000, Matt Bernstein wrote:
> Not quite--iff the client cert verifies, the client can issue "AUTH
> EXTERNAL" with an optional username (=CN of the client cert IIRC) but no
> password.
ewwwwwwwwww. That's horrid.
> It's relatively cosmetic, allowing "P=asmtp A=external:my.client.cert" in
^^^^^^^^^^^^^^^^^^^^^^^^
mainly because of that
Thing is, it's cosmetic for your server logs, I'll agree, but for your client,
and what the "AUTH" means, it's pretty horrid, IMO.
> your logs so something which might otherwise look like unwanted relaying
> is explicable.
You mean you don't find something like:
[wrapped for clarity]
| 2003-01-08 18:00:04 18WKUl-0001JF-00 <= mbm@???
| H=dsl-212-23-14-8.zen.co.uk (asterisk.semi.colondot.net) [212.23.14.8]
| I=[193.201.200.72]:25 P=esmtp X=TLSv1:EDH-RSA-DES-CBC3-SHA:168
| DN="/C=UK/ST=LONDON/O=semi.colondot.net/CN=asterisk.semi.colondot.net"
| S=694 id=20030108175936.GA1584@???
enough? The DN= only appears to come up when it's been verified as being
correct (ie, it's in my allowed CA list). For me, that's a good enough
indicator.
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/