The mailing list for listmasters using Sympa

[Steve Shipway <address@concealed>]

This is one part of certificates under Sympa that I've managed to get working 
correctly on our system.

You can add the approved signing certificates to the CA used by Sympa; this 
way, you can make sure that only approved S/MIME certificates are allowed.

The normal posting scenari apply; the S/MIME certificate CN is used to get 
the signing email address, and this is used against the posting scenario, 
looking at the 'smime' rules.  So, you can easily match against $sender with 
an smime rule to get what you want.

I've successfully managed to get our S/MIME signed messages to be approved 
for posting to moderated lists, and added the AusCERT signing certs to the 
Sympa CA.  Since our S/MIME certs have the email address in the CN then we 
can simply use the is_subscriber functions etc. for the scenari rules.

The S/MIME support does seem to have a few glitches - it's not compatible 
with mailmerge, it seems to have issues with opaque-signed messages, and so 
on - but for authorisation it works fine.

Steve

Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
address@concealed
Ph: +64 9 373 7599 ext 86487


________________________________________
From: address@concealed 
[address@concealed] on behalf of Dick Visser 
[address@concealed]
Sent: Wednesday, 16 October 2013 3:09 a.m.
To: address@concealed
Subject: [sympa-users] Allow posting to list based on S/MIME signature 
properties?

Hi guys

Our current list manager is running on our SMTP server.
It has a feature (hack) that allows SASL authenticated users to send
mail to all lists.
I know that this is bad practise but at the time it looked like a Cool 
Feature™.
I don't use it myself and actually forgot about his feature, but I
found that some users do seem to use it, so I'm looking for an
alternative.

Since the all of my users sign their messages with S/MIME, I thought
this would be a candidate.
Looking at 
https://www.sympa.org/manual/x509#configuration_to_recognize_smime_signatures,
I see that Sympa does support S/MIME. But from the example I can't
really see how this authorisation would work.

Ideally, I'd like to authorise on a combination of the Issuer and the Subject.
In our case, the scenario would be:

1) Check SMTP FRom header to post to a list (members)
2) allow S/MIME signed messages, but only if the Issuer is "C=NL,
O=TERENA, CN=TERENA Personal CA", and the subject has "C=NL,
O=TERENA".


Would such a thing be possible?


Many tahnks!!


--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands