Re: [exim] Using external programs for certificate validatio…

Top Page
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: Exim Users List
Subject: Re: [exim] Using external programs for certificate validation
Fredrik Melander wrote:

> On behalf of my employer I'm trying to port a script I used to parse
> x509-certificates with Postfix to work with Exim. This is my very first
> experience with Exim so bare with me if my questions come across as
> stupid. I did briefly plough through "The Exim SMTP mail server" (Hazel)
> and searched the archive, unfortunately without ending up that much
> wiser (well, in this regard).
>
> What I want to do is something along the following lines:
>
> Let's say I have a daemon process in form of a python-script listening
> on a certain port on my machine. Upon recieving a x509-certificate from
> a remote machine Exim deligates this to my script, preferably over TCP
> but if not possible also through a pipe or similar. My script will then
> decide if the email be accepted or not.
>
> With postfix I would simply have my daemon listening to a port of my
> liking, say 5244, and then use a rule like:
>
> smtpd_recipient_restrictions = check_policy_service inet:localhost:5244
>
> ...and so on... With Exim I've seen two options that I figure could do
> something similar. First, the queryprogram router, and secondly the
> run-command (in string expansions). The problems I see with these is
> that my script gets started and stopped each time an email arrives
> instead of remaining running as a daemon. Secondly, I haven't figured
> out how to pass the appropriate arguments to them (with Postfix, for
> example, I'd get a nice array with information about the client and it's
> certificate "for free" without explicitly having to ask for it).
>
> I'm afraid my limited experience with Exim kind of prevents me from
> asking the right questions, but I'd be very happy for any suggestions in
> the matter. Is my problem somewhat clear? Are there any other possible
> ways of achieving this? Is it at all possible for Exim to call my script
> over a TCP-port like stated above?


You can connect to a tcp port by using the "readsocket" expansion as
described on
http://www.exim.org/exim-html-current/doc/html/spec_html/ch11.html

I'm not sure if you can get access to the certificate details that you
want though. $tls_peerdn contains the client certificate distinguished
name if that is enough? You can also get the cipher used from
$tls_cipher and whether or not the certificate verified from
$tls_certificate_verified. They are all described on the same page as
readsocket.

--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)