1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
From e50dd20ed36e3031a049e1fdb99894d2a974adfa Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Sat, 27 Jul 2024 14:42:37 -0600
Subject: [PATCH] smtpd: implement CCERTS action for access(5) tables
Permits access if a valid TLS client certificate is present and matches
any item from a space or comma-separated list of certificate
fingerprints given as argument. Otherwise, behaves as DUNNO.
Example usage:
/etc/postfix/sender_ccerts:
user@example.com CCERTS AA:BB:CC:DD:EE:FF:12:34:56:67:2E:FB:3F:34:99:90:AB:CD:EF:4C
---
postfix/src/smtpd/smtpd_check.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/smtpd/smtpd_check.c b/src/smtpd/smtpd_check.c
index 6aeda7475..b4232194d 100644
--- a/src/smtpd/smtpd_check.c
+++ b/src/smtpd/smtpd_check.c
@@ -2677,6 +2677,30 @@ static int check_table_result(SMTPD_STATE *state, const char *table,
}
}
+ // Advertencia: buf para value usa un límite de 10 chars (ver inicio de esta función)
+ // FIXME: Posible timing attack, solo determinaría fingerprint
+ if (STREQUAL(value, "CCERTS", cmd_len)) {
+#ifdef USE_TLS
+ if (TLS_CERT_IS_PRESENT(state->tls_context)) {
+ const char *fprint = state->tls_context->peer_cert_fprint;
+ if (fprint && *fprint) {
+ size_t fprint_len = strlen(fprint);
+
+ const char *ccerts = cmd_text;
+ while (*ccerts) {
+ size_t ccert_len = strcspn(ccerts, ", \t");
+ if (ccert_len == fprint_len && strncmp(ccerts, fprint, fprint_len) == 0)
+ return (smtpd_acl_permit(state, STR(buf), reply_class, reply_name,
+ "from %s", table));
+
+ ccerts += ccert_len + strspn(ccerts + ccert_len, ", \t");
+ }
+ }
+ }
+#endif
+ return (SMTPD_CHECK_DUNNO);
+ }
+
/*
* All-numeric result probably means OK - some out-of-band authentication
* mechanism uses this as time stamp.
--
2.44.1
|
