Discussion:
permit_tls_clientcerts based on CommonName
(too old to reply)
a***@gmail.com
2017-07-21 04:23:59 UTC
Permalink
Would it be possible to allow certain clients who have valid TLS certificates signed by one of the standard trusted root CA's to relay based on the certificate CN attribute?


Allowing by fingerprint causes an operational issue because if the client renews their certificate, their finger print will change. I only want to allow for example CN=*.example.com where the certificate is signed by one of the root CA's that i trust. THe client can present an intermediate chain as well. It looks like the smtpd_check.c file can be modified to do this, but I haven't do C coding in 15 years so would be a bit uncomfortable.

As an example, Office 365 allows relaying through a connector if you present a client cert with a CN that matches a pre-confirmed whitelist.
AmitG
2017-07-21 04:57:48 UTC
Permalink
Post by a***@gmail.com
Would it be possible to allow certain clients who have valid TLS certificates signed by one of the standard trusted root CA's to relay based on the certificate CN attribute?
Allowing by fingerprint causes an operational issue because if the client renews their certificate, their finger print will change. I only want to allow for example CN=*.example.com where the certificate is signed by one of the root CA's that i trust. THe client can present an intermediate chain as well. It looks like the smtpd_check.c file can be modified to do this, but I haven't do C coding in 15 years so would be a bit uncomfortable.
As an example, Office 365 allows relaying through a connector if you present a client cert with a CN that matches a pre-confirmed whitelist.
So looking for something in between PERMIT_TLS_ALL_CLIENTCERTS and PERMIT_TLS_CLIENTCERTS

make something like PERMIT_TLS_SIGNED_CNAME_CLIENTCERTS
AmitG
2017-07-21 06:14:29 UTC
Permalink
Post by AmitG
Post by a***@gmail.com
Would it be possible to allow certain clients who have valid TLS certificates signed by one of the standard trusted root CA's to relay based on the certificate CN attribute?
Allowing by fingerprint causes an operational issue because if the client renews their certificate, their finger print will change. I only want to allow for example CN=*.example.com where the certificate is signed by one of the root CA's that i trust. THe client can present an intermediate chain as well. It looks like the smtpd_check.c file can be modified to do this, but I haven't do C coding in 15 years so would be a bit uncomfortable.
As an example, Office 365 allows relaying through a connector if you present a client cert with a CN that matches a pre-confirmed whitelist.
So looking for something in between PERMIT_TLS_ALL_CLIENTCERTS and PERMIT_TLS_CLIENTCERTS
make something like PERMIT_TLS_SIGNED_CNAME_CLIENTCERTS
Sorry. very late night working. I mistyped "CNAME" instead of "CN".. And when I think about it some more, I think I may need Subject instead of CN for matching.
Loading...