diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-01-05 19:11:18 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-01-05 19:11:18 +0000 |
| commit | fcb900d84cc71cb169bd1b223920de1026772695 (patch) | |
| tree | 389889cfc7cb99e2d0a27b1e3349d4f60c004927 /doc | |
| parent | ae75164b86600394f3e271a3d54bb88d946eb924 (diff) | |
Docs: tweak TLS authenticator chapter
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 2d69e1af0..25e35070e 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -26607,7 +26607,7 @@ to be returned. If the result of a successful expansion is an empty string, expansion is &"1"&, &"yes"&, or &"true"&, authentication succeeds and the generic &%server_set_id%& option is expanded and saved in &$authenticated_id$&. For any other result, a temporary error code is returned, with the expanded -string as the error text +string as the error text. &*Warning*&: If you use a lookup in the expansion to find the user's password, be sure to make the authentication fail if the user is unknown. @@ -27435,20 +27435,25 @@ tls: driver = tls server_param1 = ${certextract {subj_altname,mail,>:} \ {$tls_in_peercert}} - server_condition = ${if forany {$auth1} \ + server_condition = ${if and { {eq{$tls_in_certificate_verified}{1}} \ + {forany {$auth1} \ {!= {0} \ {${lookup ldap{ldap:///\ mailname=${quote_ldap_dn:${lc:$item}},\ ou=users,LDAP_DC?mailid} {$value}{0} \ - } } } } + } } } }}} server_set_id = ${if = {1}{${listcount:$auth1}} {$auth1}{}} .endd This accepts a client certificate that is verifiable against any of your configured trust-anchors (which usually means the full set of public CAs) and which has a SAN with a good account name. -Note that the client cert is on the wire in-clear, including the SAN, -whereas a plaintext SMTP AUTH done inside TLS is not. + +Note that, up to TLS1.2, the client cert is on the wire in-clear, including the SAN, +The account name is therefore guessable by an opponent. +TLS 1.3 protects both server and client certificates, and is not vulnerable +in this way. +Likewise, a traditional plaintext SMTP AUTH done inside TLS is not. . An alternative might use . .code |