Matching against fields other than DN / emailAddress in TLS_EXTERNAL

[andrejpodzimek]

This is a humble feature request. (It may be already possible / implemented, but I was unable to find it in the documentation.)

OpenSSL's ca man page says: …it is good policy just having the e-mail set into the altName extension of the certificate… (In other words, email_in_dn should be set to no in in the CA's configuration.)

Unfortunately, it seems that certificates adhering to this^^^ policy cannot be used for certificate authentication in Courier.

Is it possible to reference a X509v3 Subject Alternative Name (SAN) (which reads email:user@domain.org in OpenSSL's output) using TLS_EXTERNAL? What would be the syntax?

[andrejpodzimek]

And it looks like TLS_EXTERNAL is only inspected in libs/imap/externalauth.c, but the configuration file comments in esmtpd-ssl suggest that it should exist also in SMTP.

[svarshavchik]

That code is used in the smtp server too. No, currently there's no syntax for using any other field as the authentication key.

[svarshavchik]

If someone gets around to submitting a patch or a PR, I'll review it.