RE: [exim]: verify-algorithm with TLS client certificates

Top Page
Delete this message
Reply to this message
Author: Ralf Hauser
Date:  
To: exim-users, dot
CC: ph10
Subject: RE: [exim]: verify-algorithm with TLS client certificates
Tony,

Thanks for the below hint - some follow-up questions:
The setup I should handle is a notes domain that wants to authenticate for
all its users with one certificate (apparently Lotus Domino 6.0.1 cannot
send with TLS and passwords).

1) I guess as long as I have only one domain, I can do with something in my
acl like
deny
       message   = Sender address does not match domain certificate domain
       senders       = ! ^.*@$primary_domain


without having authentication

2) if there are multiple domains using the domain certificate
authentication, would there be an easy way to extract the domain out of the
from-header and compare it with the domain found in the $tls_peerdn?

Or is it possible to only get the username from an AUTH without asking for
the password instead?

Or shall I use a verify = sender ... as per
http://exim.org/exim-html-4.50/doc/html/spec_39.html#IX2566 in acl_smtp_data
or acl_not_smtp - do you have any examples?

Many thanks for any hints in advance!

      Ralf


P.S.: Just tested, my syntax in 1) doesn't appear to be correct :(

08:34:50 11288 processing "deny"
08:34:50 11288 check senders = ! ^.*@$primary_domain
08:34:50 11288 ---0 Get 0x80e9aa0    88       expand.c 2514
08:34:50 11288 ---0 Get 0x80e9af8    40       string.c  347
08:34:50 11288 failed to expand: ! ^.*@$primary_domain
08:34:50 11288    error message: unknown variable name "primary_domain"
08:34:50 11288 LOG: MAIN PANIC
08:34:50 11288   failed to expand "! ^.*@$primary_domain" while checking a
list: unknown variable name "primary_domain"
08:34:50 11288 deny: condition test deferred
08:34:50 11288 ---0 Get 0x80e9b20    32       string.c  347
08:34:50 11288 ---0 Get 0x80e9b40    40       string.c  347
08:34:50 11288 SMTP>> 451 Temporary local problem - please try later

> -----Original Message-----
> From: fanf2@??? [mailto:fanf2@hermes.cam.ac.uk] On Behalf Of
> Tony Finch
> Sent: Friday, June 10, 2005 1:29 PM
> To: hauser@???
> Cc: exim-users@???; ph10@???
> Subject: Re: [exim] RE: verify-algorithm with TLS client certificates
>
> On Fri, 10 Jun 2005, Ralf Hauser wrote:
>
> > If there is no link userName/fromAddress-tls_peerDN and no authenticator
> > checking for that, how do avoid the following scenario:
> >
> > <<An exim installation has in its tls_try_verify_hosts both acm.org and
> > cus.cam.ac.uk with the corresponding certificates in place.
> >
> > If it works as you suggest, how can it be prevented that I authenticate
> > based on my acm.org certificate but identify myself and send mail in the
> > name of a user of the domain cus.cam.ac.uk?>>
>
> If a sender has been authenticated (either with a TLS CERT or with SMTP
> AUTH) and you know they can only legitimately use one email address, you
> can add an ACL clause like the following (which is for the SMTP AUTH case)
>
>   deny
>     message       = Sender address does not match authenticated user
>     authenticated = *
>     senders       = ! $authenticated_id@$primary_domain