STARTTLS and the access Database

Beginning with V8.11, four new prefixes in the access database are available for use with STARTTLS connection encryption (STARTTLS on page 202). CERTISSUER: and CERTSUBJECT: are for use with the Local_Relay_Auth rule set. TLS_Srv: and TLS_Clt: are for use with the tls_server and tls_client rule sets.

The access database and Local_Relay_Auth

In the rule set Local_Relay_Auth, the STARTTLS-related sendmail macro ${verify} (which contains the result of connection verification) is compared to the literal value OK. If it is not OK, the other relaying checks are performed.

If ${verify} is OK, the value in the sendmail macro ${cert_issuer} (${cert_issuer} on page 809) is prefixed with CERTISSUER:, and the result is looked up in the access database. That macro contains as its value the distinguished name of the authority that signed the presented certificate. The value undergoes special translation before the lookup. Specifically, all nonprinting characters, the space and tab characters, and the special characters:

< > ( ) " +

are replaced with the hexadecimal value of the character prefixed with a plus sign. For example, Sendmail CA becomes Sendmail+20CA.

Therefore, if the issuer has the following distinguished name:

/C=US/ST=California/L=Berkeley/O=Sendmail.org/CN=Sendmail CA/

that value undergoes special translation, and is prefixed with the special prefix CERTISSUER: just before the lookup. So the following is looked up:

CERTISSUER:/C=US/ST=California/L=Berkeley/O=Sendmail.org/CN=Sendmail+20CA/ ...

Get sendmail, 4th Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.