Feature Request: login_trusted_networks to take FQDN
Sean Gallagher
sean at teletech.com.au
Wed Feb 15 09:31:48 UTC 2023
In a previous post to this list I described a problem I was having
validating client certificates on inet_listener lmtp connections.
Subject: "Please Help: Dovecot ssl_ca selection based on remote IP
address filtering not working."
The problem there was that Dovecot does not "inspect" the subject name
on the client certificate on LMTP connections. As such Any valid
certificate will pass. In this context "valid" means the same as OpenSSL
SSL_set_verify( ,SSL_VERIFY_PEER, ). I.e. the certificate chain is well
formed and can be traced back to a trusted root. It does not say
anything about the peer's identity.
I propose here, that the "login_trusted_networks" setting be allowed to
take a domain name - possibly with wildcards. Then the name on the
client certificate could be checked against login_trusted_networks in
much the same way that web browsers work.
If you tell your web browser that you want to connect to
www.example.com, the browser will check that the server's certificate
matches "www.example.com".
In the present case, if you tell Dovecot (through the
login_trusted_networks setting) to allow connections from
"smtp.example.com", then Dovecot could check the name on the client's
certificate matches "smtp.example.com".
More generally, example.com could issue client certificates with names
matching "*.mua.example.com". Then you could tell Dovecot to allow
connections from "*.mua.example.com" through the login_trusted_networks
setting.
These usages could largely replace the IP host and CIDR subnet usages
currently allowed in the login_trusted_networks setting but both could
exist side by side.
Of course, more elaborate schemes could be devised involving database
lookups, but the outlined proposal would be relatively easy to implement
and cover a good majority of use cases.
The alternative is to force the use of application-specific certificate
authorities, or just ignore it and hope that no one knows how to spoof
network traffic.
That's My two cents...
Sean.
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
More information about the dovecot
mailing list