On Thu, 9 Jun 2005, Ralf Hauser wrote:
> Dear Phillip,
>
> Before wasting exim-user list-bandwidth just to you (although feel free to
> reply to the list):
I have done so, and will leave in your entire message, because I suspect
there are people on the list who know far more about this than I do, and
will be able to give more definitive answers.
> My server shall accept messages from one domain MTA based on client
> certificates.
> How to do this is described in
> http://exim.org/exim-html-4.50/doc/html/spec_38.html#SECT38.6.
The certificate checking is all handled either by OpenSSL or GnuTLS,
whichever you are using. I am pretty ignorant about both of them.
> The following questions remain:
> 1) what verification is done just whether the private key of the certificate
> was used - or
> 2) whether the "from email" is matches the certificates DN?
The only checks that are done are what the library provides. In the case
of OpenSSL, it calls functions like SSL_CTX_set_default_verify_paths,
SSL_CTX_load_verify_locations, and SSL_CTX_set_client_CA_list.
> 3) If 2, is there a way to have a wildcard in the certificate - e.g.
> "*@domainUsingCerts.tld" in order to only use one certificate on the sending
> MTA for all its users?
I don't think it is 2, and in any case, I don't know.
> 4) Hopefully, 1) or 3) applies - if so, I would like to hand off the pair
> ("sender-from-email" {=USERNAME}, $tls_peerdn) to an external script before
> declaring the authentication as successful - how would I do that?
>
> So far, for users who authenticate with their passwords and not a domain
> client certificate, I have
>
> begin authenticators
> login:
> driver = plaintext
> public_name = LOGIN
> server_condition = "${if and { \
> {!eq{$1}{}} \
> {!eq{$2}{}} \
> {eq{${run {/etc/exim/loginHttp.py '$1' '$2'
> '$sender_host_name' '$sender_host_address'}{0}{1}}}{0}} \
> }{yes}{no}}"
> server_set_id = $1
> server_prompts = Username:: : Password::
>
> Would I need to amend the authenticators section for the client cert domains
> with something alike
> clientCert:
> driver = plaintext
> server_condition = "${if and { \
> {eq{${run {/etc/exim/certCheck.py '$1'
> '$tls_peerdn'}{0}{1}}}{0}} \
> }{yes}{no}}"
> server_set_id = $1
> server_prompts = Username::
If you are using certificates for authentication, you do not need
authenticators. The certificate verification happens during the TLS
setup phase. You can then whether it was successful by testing
"encrypted=*" in an ACL if the client is in tls_try_verify_hosts. If the
client is in tls_verify_hosts, you don't get that far because the TLS
session fails.
> Many Thanks for any hints in advance!
>
> Ralf
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book
