Looking into the source codes I see there is no support for this yet.
Here is my patch to enable it:
--- acl_.c 2007-11-11 12:57:19.000000000 +0100
+++ acl.c 2008-02-19 15:02:19.000000000 +0100
@@ -773,13 +773,19 @@
char *verify;
char *dn;
- if (((verify = smfi_getsymval(priv->priv_ctx, "{verify}")) ==
NULL) ||
- (strcmp(verify, "OK") != 0) ||
- ((dn = smfi_getsymval(priv->priv_ctx, "{cert_subject}"))
== NULL))
+ if ((verify = smfi_getsymval(priv->priv_ctx, "{verify}")) !=
NULL) {
+ // "racl tls any" support - match anyone willing to
STARTTLS - even those MTA's without a private certificate to present
+ if ((strcmp("any", ad->string) == 0) &&
+ ((strcmp(verify, "OK") != 0) || (strcmp(verify, "NO")
!= 0)))
+ return 1;
+
+ if ((strcmp(verify, "OK") != 0) ||
+ ((dn = smfi_getsymval(priv->priv_ctx,
"{cert_subject}")) == NULL))
return 0;
- if (strcmp(dn, ad->string) == 0)
+ if (strcmp(dn, ad->string) == 0)
return 1;
+ }
return 0;
}
It basically introduce clause 'acl tls "any"' which address anyone
willing to STARTTLS and even those who have no private certificate to
present.
Can this go into the main stream? ;-)
Thanks,
OndrejMessage
Re: whitelist STARTTLS compliant senders
2008-02-19 by ondrej_v0