Mailing List Archive: Encrypted SSL connection to remote PostgreSQL cluster

Encrypted SSL connection to remote PostgreSQL cluster

Sep 9, 2021, 5:31 PM

Post #1 of 4 (332 views)

Howdy!

Before I spend too much time trying to figure this out, is it possible to configure my PostgreSQL connection to use passwordless certificate based authentication?

Using am Exim configuration parameter such as (with appropriate pg_hba.conf settings on the PG end)
hide pgsql_servers = 192.168.45.16/exim/thepguser/<thepassword>
does work. For instance this works fine:
exim -be '${lookup pgsql{ select generate_series(1,10) }};'

I can connect without a password using the psql client, by passing a connection URI scheme, such as this:
psql "dbname=postgres \
host=192.168.45.16 \
sslcert=client.crt \
sslkey=client.key \
sslmode=verify-ca \
sslrootcert=root.crt \
user=thepgbuser"
But I see nothing in the Exim documentation that gives me much hope for Exim. I suppose another option, if possible, would be to export the relevant $PG* environment variables if Exim can somehow be told to use them?

Thanks!
Pat

PS, please CC me on replies as I am not subscribed to the ML
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Encrypted SSL connection to remote PostgreSQL cluster [ In reply to ]

exim-users at exim

Sep 10, 2021, 1:13 AM

Post #2 of 4 (332 views)

Permalink

On 10/09/2021 01:31, Patrick via Exim-users wrote:
> Before I spend too much time trying to figure this out, is it possible to configure my PostgreSQL connection to use passwordless certificate based authentication?

Nope. We're using what seems to be an older API for the client-connection
which does not support SSL. A wishlist-level bug would be appropriate.

> I suppose another option, if possible, would be to export the relevant $PG* environment variables if Exim can somehow be told to use them?

No; we don't call an intermediate process for this connection.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Encrypted SSL connection to remote PostgreSQL cluster [ In reply to ]

exim-users at exim

Sep 10, 2021, 1:33 AM

Post #3 of 4 (332 views)

Permalink

On 10/09/2021 09:13, Jeremy Harris via Exim-users wrote:
> On 10/09/2021 01:31, Patrick via Exim-users wrote:
>> Before I spend too much time trying to figure this out, is it possible to configure my PostgreSQL connection to use passwordless certificate based authentication?
>
> Nope. We're using what seems to be an older API for the client-connection
> which does not support SSL. A wishlist-level bug would be appropriate.

Actually, reading the Postgres docs further, there's a faint hope.
Try something like:

pgsql_servers = "host=192.168.45.16 sslcert=client.crt sslkey=client.key sslmode=verify-ca sslrootcert=root.crt/exim/thepguser/"

(We're still using the older API, but it appears to have a forward-compat
feature. This might be pgsql-library version dependent; I'm looking
at the 8.3 docs)
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Encrypted SSL connection to remote PostgreSQL cluster [ In reply to ]

exim-users at exim

Sep 10, 2021, 5:07 AM

Post #4 of 4 (332 views)

Permalink

On 2021-09-10, Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
> On 10/09/2021 09:13, Jeremy Harris via Exim-users wrote:
>> On 10/09/2021 01:31, Patrick via Exim-users wrote:
>>> Before I spend too much time trying to figure this out, is it possible to configure my PostgreSQL connection to use passwordless certificate based authentication?
>>
>> Nope. We're using what seems to be an older API for the client-connection
>> which does not support SSL. A wishlist-level bug would be appropriate.
>
> Actually, reading the Postgres docs further, there's a faint hope.
> Try something like:
>
> pgsql_servers = "host=192.168.45.16 sslcert=client.crt sslkey=client.key sslmode=verify-ca sslrootcert=root.crt/exim/thepguser/"
>
> (We're still using the older API, but it appears to have a forward-compat
> feature. This might be pgsql-library version dependent; I'm looking
> at the 8.3 docs)

As I unserstand it the old libpq connect call naively massages its
parameters to match the new connection string interface, so it's
preactical to inject connection parameters using the database-name
field

--
Jasen.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/