Tony,
Thanks for the below hint - some follow-up questions:
The setup I should handle is a notes domain that wants to authenticate for
all its users with one certificate (apparently Lotus Domino 6.0.1 cannot
send with TLS and passwords).
1) I guess as long as I have only one domain, I can do with something in my
acl like
deny
message = Sender address does not match domain certificate domain
senders = ! ^.*@$primary_domain
without having authentication
2) if there are multiple domains using the domain certificate
authentication, would there be an easy way to extract the domain out of the
from-header and compare it with the domain found in the $tls_peerdn?
Or is it possible to only get the username from an AUTH without asking for
the password instead?
Or shall I use a verify = sender ... as per
http://exim.org/exim-html-4.50/doc/html/spec_39.html#IX2566 in acl_smtp_data
or acl_not_smtp - do you have any examples?
Many thanks for any hints in advance!
Ralf
P.S.: Just tested, my syntax in 1) doesn't appear to be correct :(
08:34:50 11288 processing "deny"
08:34:50 11288 check senders = ! ^.*@$primary_domain
08:34:50 11288 ---0 Get 0x80e9aa0 88 expand.c 2514
08:34:50 11288 ---0 Get 0x80e9af8 40 string.c 347
08:34:50 11288 failed to expand: ! ^.*@$primary_domain
08:34:50 11288 error message: unknown variable name "primary_domain"
08:34:50 11288 LOG: MAIN PANIC
08:34:50 11288 failed to expand "! ^.*@$primary_domain" while checking a
list: unknown variable name "primary_domain"
08:34:50 11288 deny: condition test deferred
08:34:50 11288 ---0 Get 0x80e9b20 32 string.c 347
08:34:50 11288 ---0 Get 0x80e9b40 40 string.c 347
08:34:50 11288 SMTP>> 451 Temporary local problem - please try later
> -----Original Message-----
> From: fanf2@??? [mailto:fanf2@hermes.cam.ac.uk] On Behalf Of
> Tony Finch
> Sent: Friday, June 10, 2005 1:29 PM
> To: hauser@???
> Cc: exim-users@???; ph10@???
> Subject: Re: [exim] RE: verify-algorithm with TLS client certificates
>
> On Fri, 10 Jun 2005, Ralf Hauser wrote:
>
> > If there is no link userName/fromAddress-tls_peerDN and no authenticator
> > checking for that, how do avoid the following scenario:
> >
> > <<An exim installation has in its tls_try_verify_hosts both acm.org and
> > cus.cam.ac.uk with the corresponding certificates in place.
> >
> > If it works as you suggest, how can it be prevented that I authenticate
> > based on my acm.org certificate but identify myself and send mail in the
> > name of a user of the domain cus.cam.ac.uk?>>
>
> If a sender has been authenticated (either with a TLS CERT or with SMTP
> AUTH) and you know they can only legitimately use one email address, you
> can add an ACL clause like the following (which is for the SMTP AUTH case)
>
> deny
> message = Sender address does not match authenticated user
> authenticated = *
> senders = ! $authenticated_id@$primary_domain