[exim] RE: verify-algorithm with TLS client certificates

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Ralf Hauser
Datum:  
To: exim-users, ph10
CC: 
Betreff: [exim] RE: verify-algorithm with TLS client certificates
Philip,

Thx for the quick answer.
> > 4) ... I would like to hand off the pair
> > ("sender-from-email" {=USERNAME}, $tls_peerdn) to an external script
> > before
> > declaring the authentication as successful - how would I do that?
> >
> > So far, for users who authenticate with their passwords and not a domain
> > client certificate, I have
> >
> > begin authenticators
> > login:
> >         driver = plaintext
> >         public_name = LOGIN
> >         server_condition = "${if and { \
> >                 {!eq{$1}{}} \
> >                 {!eq{$2}{}} \
> >                 {eq{${run {/etc/exim/loginHttp.py '$1' '$2'
> > '$sender_host_name' '$sender_host_address'}{0}{1}}}{0}} \
> >                 }{yes}{no}}"
> >         server_set_id = $1
> >         server_prompts = Username:: : Password::

> >
> > Would I need to amend the authenticators section for the client cert
> > domains with something alike
> > clientCert: 
> >         driver = plaintext
> >         server_condition = "${if and { \
> >                 {eq{$tls_certificate_verified}{1}} \
> >                 {eq{${run {/etc/exim/certCheck.py '$1'
> > '$tls_peerdn'}{0}{1}}}{0}} \
> >                 }{yes}{no}}"
> >         server_set_id = $1
> >         server_prompts = Username::

>
> If you are using certificates for authentication, you do not need
> authenticators. The certificate verification happens during the TLS
> setup phase. You can then whether it was successful by testing
> "encrypted=*" in an ACL if the client is in tls_try_verify_hosts. If the
> client is in tls_verify_hosts, you don't get that far because the TLS
> session fails.

If there is no link userName/fromAddress-tls_peerDN and no authenticator
checking for that, how do avoid the following scenario:

<<An exim installation has in its tls_try_verify_hosts both acm.org and
cus.cam.ac.uk with the corresponding certificates in place.

If it works as you suggest, how can it be prevented that I authenticate
based on my acm.org certificate but identify myself and send mail in the
name of a user of the domain cus.cam.ac.uk?>>

Regards Ralf

P.S.: if we were to need a second "clientCert" authenticator, is it right
that exim tries all authenticators applicable and only fails authentication
if all result in {no}? If so, where in the docu do I find which
authenticators exim considers "applicable" ? I furthermore assume exim
processes the authenticators sequentially as it finds them in the config
file?