STARTTLS and the access Database
Beginning with V8.11, four new prefixes in the
access database are available
for use with STARTTLS connection encryption (STARTTLS on page 202). CERTISSUER: and CERTSUBJECT: are for use
with the Local_Relay_Auth rule set. TLS_Srv: and TLS_Clt: are for use
with the tls_server and tls_client rule sets.
The access database and Local_Relay_Auth
In the rule set Local_Relay_Auth, the STARTTLS-related
sendmail macro ${verify} (which
contains the result of connection verification) is
compared to the literal value OK. If it is not OK,
the other relaying checks are performed.
If ${verify} is OK, the value in the
sendmail macro ${cert_issuer} (${cert_issuer} on page 809) is prefixed with CERTISSUER:, and the
result is looked up in the
access database. That macro
contains as its value the distinguished name of
the authority that signed the presented
certificate. The value undergoes special
translation before the lookup. Specifically, all
nonprinting characters, the space and tab
characters, and the special characters:
< > ( ) " +
are replaced with the hexadecimal value of the
character prefixed with a plus sign. For example,
Sendmail CA
becomes Sendmail+20CA.
Therefore, if the issuer has the following distinguished name:
/C=US/ST=California/L=Berkeley/O=Sendmail.org/CN=Sendmail CA/
that value undergoes special translation, and
is prefixed with the special prefix CERTISSUER: just before
the lookup. So the following is looked up:
CERTISSUER:/C=US/ST=California/L=Berkeley/O=Sendmail.org/CN=Sendmail+20CA/ ...
Get sendmail, 4th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
