On 27/12/2010 17:53, Nikolaus Rath wrote:
> I would like to match a number of TLS client certificates in an ACL.
> What's the best way to do this?
>
> I came up with
>
> accept
> verify = certificate
> condition = ${lookup{$tls_peerdn}lsearch{/etc/exim4/relayhosts}{true}{false}}
> control = submission
>
> but this requires me to put really awkward long DN strings into the
> relayhosts file. I'd rather just match on something more concise, e.g.
> the CN.
>
> Any recommendations?
Pull out the CN from $tls_peerdn using the "sg" string expansion and
search using that value. See,
http://www.exim.org/exim-html-current/doc/html/spec_html/ch11.html
--
Mike Cardwell
https://secure.grepular.com/ https://twitter.com/mickeyc
Professional
http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
