On Fri, 10 Jun 2005, Ralf Hauser wrote:
> <<An exim installation has in its tls_try_verify_hosts both acm.org and
> cus.cam.ac.uk with the corresponding certificates in place.
>
> If it works as you suggest, how can it be prevented that I authenticate
> based on my acm.org certificate but identify myself and send mail in the
> name of a user of the domain cus.cam.ac.uk?>>
In an ACL, check that the value of $tls_peerdn corresponds with the
sender address.
> P.S.: if we were to need a second "clientCert" authenticator, is it right
> that exim tries all authenticators applicable and only fails authentication
> if all result in {no}? If so, where in the docu do I find which
> authenticators exim considers "applicable" ? I furthermore assume exim
> processes the authenticators sequentially as it finds them in the config
> file?
No. At least, that's not what I have written in the documentation, and I
hope that what I wrote is correct. (See, I can't remember it all when
time has passed - I have to read my own documentation!) The spec says
this:
If AUTH is not rejected by the ACL, Exim searches its configuration
for a server authentication mechanism that was advertised in response
to EHLO and that matches the one named in the AUTH command. If it
finds one, it runs the appropriate authentication protocol, and
authentication either succeeds or fails.
There is no statement that, after a failure, it goes on to look for any
other authenticator. In fact, I seem to recall there's a Wish List item
about this. Ah yes, here it is:
------------------------------------------------------------------------------
(143) 06-Mar-03 L Ability to have multiple authenticators of same type
For example, to have two PLAIN authenticators; if the first fails, try the
second.
------------------------------------------------------------------------------
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book