3 on page 202). CERTISSUER: and
CERTSUBJECT: are for use withth e Local_Relay_Auth rule set. TLS_Srv: and TLS_Clt: are
for use with the tls_server and tls_client rule sets.
5.3.8.1 The access database and Local_Relay_Auth
In the rule set Local_Relay_Auth, the STARTTLS-related sendmail macro ${verify}
(which contains the result of connection verification) is compared to the literal value
OK. If it is not OK, the other relaying checks are performed.
If ${verify} is OK, the value in the sendmail macro ${cert_issuer} (?§21.9.13 on page
809) is prefixed with CERTISSUER:, and the result is looked up in the access database.
That macro contains as its value the distinguished name of the authority that signed
the presented certificate. The value undergoes special translation before the lookup.
Specifically, all nonprinting characters, the space and tab characters, and the special
characters:
< > ( ) " +
are replaced with the hexadecimal value of the character prefixed with a plus sign.
For example, Sendmail CA becomes Sendmail+20CA.
Therefore, if the issuer has the following distinguished name:
/C=US/ST=California/L=Berkeley/O=Sendmail.org/CN=Sendmail CA/
that value undergoes special translation, and is prefixed with the special prefix
CERTISSUER: just before the lookup. So the following is looked up:
CERTISSUER:/C=US/ST=California/L=Berkeley/O=Sendmail.
Pages:
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406