diff options
| author | Alejandro Soto <alejandro@34project.org> | 2024-07-27 14:57:26 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2024-07-27 20:10:00 -0600 |
| commit | 14c56a9dd2b67102ac4c6c5648e4afb53b144eaa (patch) | |
| tree | cf9dd2bb0f583baf5233253e2505cde183ce6110 /pkgs/postfix/0001-smtpd-implement-CCERTS-action-for-access-5-tables.patch | |
| parent | ecdd297868a6a7df5b61ae38bace9462961e5b4f (diff) | |
pkgs: patch postfix to implement CCERTS action in access tables
Diffstat (limited to 'pkgs/postfix/0001-smtpd-implement-CCERTS-action-for-access-5-tables.patch')
| -rw-r--r-- | pkgs/postfix/0001-smtpd-implement-CCERTS-action-for-access-5-tables.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/pkgs/postfix/0001-smtpd-implement-CCERTS-action-for-access-5-tables.patch b/pkgs/postfix/0001-smtpd-implement-CCERTS-action-for-access-5-tables.patch new file mode 100644 index 0000000..ceec3dc --- /dev/null +++ b/pkgs/postfix/0001-smtpd-implement-CCERTS-action-for-access-5-tables.patch @@ -0,0 +1,55 @@ +From e50dd20ed36e3031a049e1fdb99894d2a974adfa Mon Sep 17 00:00:00 2001 +From: Alejandro Soto <alejandro@34project.org> +Date: Sat, 27 Jul 2024 14:42:37 -0600 +Subject: [PATCH] smtpd: implement CCERTS action for access(5) tables + +Permits access if a valid TLS client certificate is present and matches +any item from a space or comma-separated list of certificate +fingerprints given as argument. Otherwise, behaves as DUNNO. + +Example usage: + +/etc/postfix/sender_ccerts: + user@example.com CCERTS AA:BB:CC:DD:EE:FF:12:34:56:67:2E:FB:3F:34:99:90:AB:CD:EF:4C +--- + postfix/src/smtpd/smtpd_check.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/src/smtpd/smtpd_check.c b/src/smtpd/smtpd_check.c +index 6aeda7475..b4232194d 100644 +--- a/src/smtpd/smtpd_check.c ++++ b/src/smtpd/smtpd_check.c +@@ -2677,6 +2677,30 @@ static int check_table_result(SMTPD_STATE *state, const char *table, + } + } + ++ // Advertencia: buf para value usa un límite de 10 chars (ver inicio de esta función) ++ // FIXME: Posible timing attack, solo determinaría fingerprint ++ if (STREQUAL(value, "CCERTS", cmd_len)) { ++#ifdef USE_TLS ++ if (TLS_CERT_IS_PRESENT(state->tls_context)) { ++ const char *fprint = state->tls_context->peer_cert_fprint; ++ if (fprint && *fprint) { ++ size_t fprint_len = strlen(fprint); ++ ++ const char *ccerts = cmd_text; ++ while (*ccerts) { ++ size_t ccert_len = strcspn(ccerts, ", \t"); ++ if (ccert_len == fprint_len && strncmp(ccerts, fprint, fprint_len) == 0) ++ return (smtpd_acl_permit(state, STR(buf), reply_class, reply_name, ++ "from %s", table)); ++ ++ ccerts += ccert_len + strspn(ccerts + ccert_len, ", \t"); ++ } ++ } ++ } ++#endif ++ return (SMTPD_CHECK_DUNNO); ++ } ++ + /* + * All-numeric result probably means OK - some out-of-band authentication + * mechanism uses this as time stamp. +-- +2.44.1 + |