but "smtpd_tls_ask_clientcert = no". Files: proto/postconf.proto,
smtpd/smtpd_check.c.
-20200315
+20200316
- Bugfix (introduced: 20190517 development release): in
- check_ccert_access, the issuer_cn and subject_cn matches
- now require that the client certificate is signed by a CA
- that the Postfix SMTP server trusts. Files: smtpd/smtpd_check.c,
+ Removed the issuer_cn and subject_cn matches from
+ check_ccert_access. Files: smtpd/smtpd_check.c,
proto/postconf.proto.
search_order = cert_fingerprint, pubkey_fingerprint } }
...
-The check_ccert_access search order also supports the subject_cn and
-issuer_cn client certificate properties, when the client certificate
-is signed by a CA that the Postfix SMTP server trusts. Support is
-planned for rfc822name and smtputf8mailbox.
+Support is planned for other certificate features.
Major changes - dovecot usability
---------------------------------
<dd> <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> { <a href="DATABASE_README.html">type:table</a>, { search_order = cert_fingerprint,
pubkey_fingerprint } } </dd>
-<dd> The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). These require that the client certificate
-is signed by a CA that the Postfix SMTP server trusts. </dd>
+<dd> The commas are optional. </dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
check_ccert_access { type:table, { search_order = cert_fingerprint,
pubkey_fingerprint } }
.br
-The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). These require that the client certificate
-is signed by a CA that the Postfix SMTP server trusts.
+The commas are optional.
.br
.IP "\fBcheck_client_access \fItype:table\fR\fR"
Search the specified access database for the client hostname,
<dd> check_ccert_access { type:table, { search_order = cert_fingerprint,
pubkey_fingerprint } } </dd>
-<dd> The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). These require that the client certificate
-is signed by a CA that the Postfix SMTP server trusts. </dd>
+<dd> The commas are optional. </dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200315"
+#define MAIL_RELEASE_DATE "20200316"
#define MAIL_VERSION_NUMBER "3.6"
#ifdef SNAPSHOT
const char *action;
const char *match_this;
const char *known_action;
- int need_trusted_cert;
for (action = search_order; *action; action++) {
- need_trusted_cert = 1;
switch (*action) {
case SMTPD_ACL_SEARCH_CODE_CERT_FPRINT:
match_this = state->tls_context->peer_cert_fprint;
- need_trusted_cert = 0;
break;
case SMTPD_ACL_SEARCH_CODE_PKEY_FPRINT:
match_this = state->tls_context->peer_pkey_fprint;
- need_trusted_cert = 0;
- break;
- case SMTPD_ACL_SEARCH_CODE_CERT_ISSUER_CN:
- match_this = state->tls_context->issuer_CN;
- break;
- case SMTPD_ACL_SEARCH_CODE_CERT_SUBJECT_CN:
- match_this = state->tls_context->peer_CN;
break;
default:
known_action = str_name_code(search_actions, *action);
451, "4.3.5",
"Server configuration error"));
}
- if (need_trusted_cert && !TLS_CERT_IS_TRUSTED(state->tls_context)) {
- if (msg_verbose)
- msg_info("%s: skipping %s %s: untrusted client certificate",
- myname, str_name_code(search_actions, *action),
- match_this);
- return SMTPD_CHECK_DUNNO;
- }
if (msg_verbose)
msg_info("%s: look up %s %s",
myname, str_name_code(search_actions, *action),
projects / thirdparty / postfix.git / commitdiff
