RE: [exim]: verify-algorithm with TLS client certificates

Top Page
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: hauser
CC: exim-users
Subject: RE: [exim]: verify-algorithm with TLS client certificates
On Sun, 26 Jun 2005, Ralf Hauser wrote:
>
> 1) I guess as long as I have only one domain, I can do with something in my
> acl like
> deny
>        message   = Sender address does not match domain certificate domain
>        senders       = ! ^.*@$primary_domain

>
> without having authentication


Perhaps you mean $primary_hostname or $qualify_domain here.

> 2) if there are multiple domains using the domain certificate
> authentication, would there be an easy way to extract the domain out of the
> from-header and compare it with the domain found in the $tls_peerdn?


It's probably easier to use $sender_address_domain, which uses the return
path rather than the From: header, but these are usually the same.
Alternatively ${domain:$header_from:} might do the right thing (I haven't
checked).

> Or is it possible to only get the username from an AUTH without asking for
> the password instead?


There's a SASL mechanism called EXTERNAL which only passes the username,
and which relies on some non-SASL means to authenticate (e.g. SSL, trust,
etc.) However you're unlikely to be able to use this if your client can't
use password authentication.

> Or shall I use a verify = sender ... as per
> http://exim.org/exim-html-4.50/doc/html/spec_39.html#IX2566 in acl_smtp_data
> or acl_not_smtp - do you have any examples?


verify = sender just checks that email can be delivered to the sender's
address; it cannot verify that the message was sent by who it appeared to
be sent by.

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}