Sujet : Re: Client Auth certificates, threat or menace?
De : INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please) (at) *nospam* esmtp.org (Claus Aßmann)
Groupes : comp.mail.sendmailDate : 23. May 2025, 08:44:06
Autres entêtes
Organisation : MGT Consulting
Message-ID : <100p906$i35$1@news.misty.com>
References : 1 2 3 4
User-Agent : trn 4.0-test77 (Sep 1, 2010)
John Levine wrote:
Right. It would make sense to look for the client extension when
checking a cert
presented for SMTP AUTH, otherwise not. Any idea whether the code does that?
What do you mean by "a cert presented for SMTP AUTH"?
Certs are handled during the TLS handshake.
AuthMechanisms
List of authentication mechanisms for AUTH
(separated by spaces). The advertised list
of authentication mechanisms will be the in-
tersection of this list and the list of
available mechanisms as determined by the
Cyrus SASL library. If STARTTLS is active,
EXTERNAL will be added to this list. In
that case, the value of {cert_subject} is
used as authentication id.
If the server cannot "verify" the client cert, then obviously it
won't be used - and as explained elsewhere openssl does not allow
to verify a cert which is just for a "server".
Client Auth certificates, threat or menace?
Re: Client Auth certificates, threat or menace?