Re: [exim] Using external programs for certificate validatio…

Top Page
Delete this message
Reply to this message
Author: Fredrik Melander
Date:  
CC: Exim Users List
Subject: Re: [exim] Using external programs for certificate validation
Thanks to Mike and Steve for suggestions! I've yet to try them out, but
I'm sure they'll come in handy :)

Regards,
Fredrik





Mike Cardwell schrieb:
> Fredrik Melander wrote:
>
>> On behalf of my employer I'm trying to port a script I used to parse
>> x509-certificates with Postfix to work with Exim. This is my very first
>> experience with Exim so bare with me if my questions come across as
>> stupid. I did briefly plough through "The Exim SMTP mail server" (Hazel)
>> and searched the archive, unfortunately without ending up that much
>> wiser (well, in this regard).
>>
>> What I want to do is something along the following lines:
>>
>> Let's say I have a daemon process in form of a python-script listening
>> on a certain port on my machine. Upon recieving a x509-certificate from
>> a remote machine Exim deligates this to my script, preferably over TCP
>> but if not possible also through a pipe or similar. My script will then
>> decide if the email be accepted or not.
>>
>> With postfix I would simply have my daemon listening to a port of my
>> liking, say 5244, and then use a rule like:
>>
>> smtpd_recipient_restrictions = check_policy_service inet:localhost:5244
>>
>> ...and so on... With Exim I've seen two options that I figure could do
>> something similar. First, the queryprogram router, and secondly the
>> run-command (in string expansions). The problems I see with these is
>> that my script gets started and stopped each time an email arrives
>> instead of remaining running as a daemon. Secondly, I haven't figured
>> out how to pass the appropriate arguments to them (with Postfix, for
>> example, I'd get a nice array with information about the client and it's
>> certificate "for free" without explicitly having to ask for it).
>>
>> I'm afraid my limited experience with Exim kind of prevents me from
>> asking the right questions, but I'd be very happy for any suggestions in
>> the matter. Is my problem somewhat clear? Are there any other possible
>> ways of achieving this? Is it at all possible for Exim to call my script
>> over a TCP-port like stated above?
>
> You can connect to a tcp port by using the "readsocket" expansion as
> described on
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch11.html
>
> I'm not sure if you can get access to the certificate details that you
> want though. $tls_peerdn contains the client certificate distinguished
> name if that is enough? You can also get the cipher used from
> $tls_cipher and whether or not the certificate verified from
> $tls_certificate_verified. They are all described on the same page as
> readsocket.
>