Author: Paul Dekkers Date: To: Lars Mainka CC: exim-users, Gray, Richard Subject: Re: [exim] TLS and Client Certificate Verification
Hi Lars,
Lars Mainka wrote:
>> If you cannot filter on the DN (haven't checked that, but that is
>> what you can do with apache for instance) or something, then you're
>> probably right.
>
> That's another approach, but in my mind this is more like a workaround.
>
> I got the documentation wrong. Based on the source code, the current
> implementation is only able to handle CA certificates where the client
> certs gets checked against. It seems that this would be the common
> approach to check client certificates.
I think you want more control there indeed.
>> We also do this with stunnel at the moment, so I would be interested
>> in doing this with exim directly as well. The only thing that stopped
>> me from experimenting with that is that I think that if I advertise
>> STARTTLS to the client on the normal smtp port, and it _must_
>> authenticate with a client certificate, what happends to the MTA's
>> that do know TLS but have no client certificate?
>> Normally the data transport is then secured, but without a proper
>> client certificate the SSL setup fails, I suppose?
>>
>> The way to workaround this is have a seperate IP of course for the
>> submission with TLS. (That is what we have now with stunnel...)
>
> I think stunnel is the only way to get the client certs checked
> directly by ssl. My solution was: hacking the exim openssl code to do
> the same like stunnel, but this would happen in some extra work on
> updates.
Well, we might stick to stunnel then.
But anyway: doing this by checking against the CA does solve TLS for MUA
-> MTA authentication,
but in my view you still cannot mix this with MTA <-> MTA SSL, or am I
wrong?
I think with the current implementation I do need a different IP/port
for this not-to-be-mixed TLS behaviour...