Re: [exim] Client Certificate Authentication

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Stephen Gran
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] Client Certificate Authentication
On Tue, Nov 23, 2010 at 08:19:39PM +0100, Matthias-Christian Ott said:
> On Tue, Nov 23, 2010 at 01:55:36PM -0500, Phil Pennock wrote:
> > On 2010-11-22 at 23:14 +0100, Matthias-Christian Ott wrote:
> > > for fail-over I want to add a spooling relay to an existing Exim
> > > server. I would prefer to useauthentication via client certificates. Is
> > > this possible with Exim?
> >
> > Yes. Use the tls_certificate and tls_privatekey options on the SMTP
> > Transport used. There are other relevant options too. See:
> > 30.4 Private options for smtp
> > 39.9 Configuring an Exim client to use TLS
> > of The Exim Specification, "spec.txt" or online at:
> > http://www.exim.org/exim-html-current/doc/html/spec_html/index.html
>
> This is not what I was looking for. I'm already using TLS and
> tls_verify_certificates doesn't solve my problem because it seems to me
> that I have to keep all client certifcates on the actual mail server in a
> directory.
>
> I would like to sign the server and the client (relay) certificate
> by a CA and store the CA certificate on the server and instruct the
> server to accept only messages from relays which provide a certificate
> which is signed by the server (similar to OpenID client certificate
> authentication).


You need to do something like:
tls_verify_certificates = /etc/exim4/ssl/ca.crt
tls_try_verify_hosts = *

On the relay. This will verify the cert against the CA, rather than
against a known list of certs.

Cheers,
--
--------------------------------------------------------------------------
|  Stephen Gran                  | Gnagloot, n.:  A person who leaves all  |
|  steve@???             | his ski passes on his jacket just to    |
|  http://www.lobefin.net/~steve | impress people.   -- Rich Hall,         |
|                                | "Sniglets"                              |

--------------------------------------------------------------------------