Author: Paul Dekkers Date: To: Lars Mainka CC: exim-users, Gray, Richard Subject: Re: [exim] TLS and Client Certificate Verification
Lars Mainka wrote:
>> I may be wrong here, but my understanding of certs is that what exim is
>> doing is checking the authorities on your certificate. The idea is that
>> I would tell exim to allow mail from certs signed by the CA. I am now
>> able to issue certs for new users without having to log on to the box
>> and add their certificate
>
> Yes, thats exactly what exim is doing. But this would mean, if you are
> accepting certificates signed by verisign (in example), every client
> with a verisign certificate can connect to the box, wether you have
> the client cert on the box or not and that would be a lot of clients.
If you cannot filter on the DN (haven't checked that, but that is what
you can do with apache for instance) or something, then you're probably
right.
>> From exim's point of view, It trusts the CA, and the CA trusts the
>> certificate, so exim trusts the certificate.
>
> If I would use sslwrapper like stunnel, it is possible to gave only
> those clients access to the server, if their certificates are copied
> to the server and accessible by their hash value. I don't want to use
> those wrappers, cause I prefer one daemon listening to all the needed
> addresses and ports. In my understanding of the exim documentation
> "37.4 Requesting and verifying client certificates", the exim tls
> implemetation says nothing about the limitation of using ca
> certificates in the tls_verify_certificates directory.
>
> Does anybody got the client authorization with certificates to work or
> am I wrong in my understanding of the documentation?
We also do this with stunnel at the moment, so I would be interested in
doing this with exim directly as well. The only thing that stopped me
from experimenting with that is that I think that if I advertise
STARTTLS to the client on the normal smtp port, and it _must_
authenticate with a client certificate, what happends to the MTA's that
do know TLS but have no client certificate?
Normally the data transport is then secured, but without a proper client
certificate the SSL setup fails, I suppose?
The way to workaround this is have a seperate IP of course for the
submission with TLS. (That is what we have now with stunnel...)