Re: [exim] RE: verify-algorithm with TLS client certificates

Góra strony
Delete this message
Reply to this message
Autor: Tony Finch
Data:  
Dla: hauser
CC: exim-users, ph10
Temat: Re: [exim] RE: verify-algorithm with TLS client certificates
On Fri, 10 Jun 2005, Ralf Hauser wrote:

> If there is no link userName/fromAddress-tls_peerDN and no authenticator
> checking for that, how do avoid the following scenario:
>
> <<An exim installation has in its tls_try_verify_hosts both acm.org and
> cus.cam.ac.uk with the corresponding certificates in place.
>
> If it works as you suggest, how can it be prevented that I authenticate
> based on my acm.org certificate but identify myself and send mail in the
> name of a user of the domain cus.cam.ac.uk?>>


If a sender has been authenticated (either with a TLS CERT or with SMTP
AUTH) and you know they can only legitimately use one email address, you
can add an ACL clause like the following (which is for the SMTP AUTH case)

  deny
    message       = Sender address does not match authenticated user
    authenticated = *
    senders       = ! $authenticated_id@$primary_domain


Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}