[exim] Re: verify-algorithm with TLS client certificates

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: exim-users, hauser
CC: 
Subject: [exim] Re: verify-algorithm with TLS client certificates
On Thu, 9 Jun 2005, Ralf Hauser wrote:

> Dear Phillip,
>
> Before wasting exim-user list-bandwidth just to you (although feel free to
> reply to the list):


I have done so, and will leave in your entire message, because I suspect
there are people on the list who know far more about this than I do, and
will be able to give more definitive answers.

> My server shall accept messages from one domain MTA based on client
> certificates.
> How to do this is described in
> http://exim.org/exim-html-4.50/doc/html/spec_38.html#SECT38.6.


The certificate checking is all handled either by OpenSSL or GnuTLS,
whichever you are using. I am pretty ignorant about both of them.

> The following questions remain:
> 1) what verification is done just whether the private key of the certificate
> was used - or
> 2) whether the "from email" is matches the certificates DN?


The only checks that are done are what the library provides. In the case
of OpenSSL, it calls functions like SSL_CTX_set_default_verify_paths,
SSL_CTX_load_verify_locations, and SSL_CTX_set_client_CA_list.

> 3) If 2, is there a way to have a wildcard in the certificate - e.g.
> "*@domainUsingCerts.tld" in order to only use one certificate on the sending
> MTA for all its users?


I don't think it is 2, and in any case, I don't know.

> 4) Hopefully, 1) or 3) applies - if so, I would like to hand off the pair
> ("sender-from-email" {=USERNAME}, $tls_peerdn) to an external script before
> declaring the authentication as successful - how would I do that?
>
> So far, for users who authenticate with their passwords and not a domain
> client certificate, I have
>
> begin authenticators
> login:
>         driver = plaintext
>         public_name = LOGIN
>         server_condition = "${if and { \
>                 {!eq{$1}{}} \
>                 {!eq{$2}{}} \
>                 {eq{${run {/etc/exim/loginHttp.py '$1' '$2'
> '$sender_host_name' '$sender_host_address'}{0}{1}}}{0}} \
>                 }{yes}{no}}"
>         server_set_id = $1
>         server_prompts = Username:: : Password::

>
> Would I need to amend the authenticators section for the client cert domains
> with something alike
> clientCert:
>         driver = plaintext
>         server_condition = "${if and { \                
>                 {eq{${run {/etc/exim/certCheck.py '$1'
> '$tls_peerdn'}{0}{1}}}{0}} \
>                 }{yes}{no}}"
>         server_set_id = $1
>         server_prompts = Username:: 


If you are using certificates for authentication, you do not need
authenticators. The certificate verification happens during the TLS
setup phase. You can then whether it was successful by testing
"encrypted=*" in an ACL if the client is in tls_try_verify_hosts. If the
client is in tls_verify_hosts, you don't get that far because the TLS
session fails.


> Many Thanks for any hints in advance!
>
>     Ralf



-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book