* Re: [RFC PATCH] Introduce filesystem type tracking
[not found] ` <20260219-kavaliersdelikt-ansatz-9bdd1aa77326@brauner>
@ 2026-02-20 5:43 ` David Timber
2026-02-20 7:52 ` [PATCH] send-mail: add client certificate options David Timber
1 sibling, 0 replies; 2+ messages in thread
From: David Timber @ 2026-02-20 5:43 UTC (permalink / raw)
To: Christian Brauner; +Cc: linux-kernel, linux-fsdevel, git
> All these mails have a broken header and set In-Reply-To: to <>:
>
> In-Reply-To: <>
>
> So all of these messages share a single bogus parent with the empty
> message ID <> and then Neomutt groups them together which makes it look
> like a really old thread got new replies...
Sorry for off-topic
I run my own Postfix+Dovecot stack and for an added layer of security, I
enabled client cert verification for all MUA ports(submission and imap)
so that bots don't even have a chance at establishing a TLS session.
The downside of this would be lack of client support. I'd love to use
but unfortunately git-send-email cannot be configured to present a
client cert to the server. I just learned that git-send-email is only a
single 2k-line perl script, so I could submit the patch if anyone's
interested. Just a few lines for the script to pass the PEM paths to the
openssl lib.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH] send-mail: add client certificate options
[not found] ` <20260219-kavaliersdelikt-ansatz-9bdd1aa77326@brauner>
2026-02-20 5:43 ` [RFC PATCH] Introduce filesystem type tracking David Timber
@ 2026-02-20 7:52 ` David Timber
1 sibling, 0 replies; 2+ messages in thread
From: David Timber @ 2026-02-20 7:52 UTC (permalink / raw)
To: git; +Cc: David Timber
For SMTP servers that do "mutual certificate verification", the mail
client is required to present its own TLS certificate as well. This
patch adds --smtp-ssl-client-cert and --smtp-ssl-client-key for such
servers.
Signed-off-by: David Timber <dxdt@dev•snart.me>
---
Documentation/git-send-email.adoc | 13 +++++++++
git-send-email.perl | 48 ++++++++++++++++++++++++-------
2 files changed, 50 insertions(+), 11 deletions(-)
diff --git a/Documentation/git-send-email.adoc b/Documentation/git-send-email.adoc
index ebe8853e9f..9c782a4d9a 100644
--- a/Documentation/git-send-email.adoc
+++ b/Documentation/git-send-email.adoc
@@ -290,6 +290,19 @@ must be used for each option.
variable, if set, or the backing SSL library's compiled-in default
otherwise (which should be the best choice on most platforms).
+--smtp-ssl-client-cert <path>::
+ Path to a client certificate file to present to the SMTP server. This option
+ can be used when the server verifies the certificate from the client. The
+ format could be in either PKCS12 or PEM. In the latter case, the private key
+ can be specified using `--smtp-ssl-client-key` option. More more
+ detail, see
+ https://metacpan.org/pod/IO::Socket::SSL#SSL_cert_file-|-SSL_cert-|-SSL_key_file-|-SSL_key
+
+--smtp-ssl-client-key <path>::
+ Optional path to the private key file. If this is not given and a PKCS12
+ certificate file is used, the private key from the PKCS12 certificate will
+ be used(see `--smtp-ssl-client-cert`).
+
--smtp-user=<user>::
Username for SMTP-AUTH. Default is the value of `sendemail.smtpUser`;
if a username is not specified (with `--smtp-user` or `sendemail.smtpUser`),
diff --git a/git-send-email.perl b/git-send-email.perl
index cd4b316ddc..49601a91d8 100755
--- a/git-send-email.perl
+++ b/git-send-email.perl
@@ -66,6 +66,9 @@ sub usage {
--smtp-ssl-cert-path <str> * Path to ca-certificates (either directory or file).
Pass an empty string to disable certificate
verification.
+ --smtp-ssl-client-cert <str> * Path to client certificate file to present to SMTP server
+ --smtp-ssl-client-key <str> * Path to the private key file for the client certificate
+ (optional if a PKCS12 client certificate is used)
--smtp-domain <str> * The domain name sent to HELO/EHLO handshake
--smtp-auth <str> * Space-separated list of allowed AUTH mechanisms, or
"none" to disable authentication.
@@ -279,6 +282,7 @@ sub do_edit {
my ($to_cmd, $cc_cmd, $header_cmd);
my ($smtp_server, $smtp_server_port, @smtp_server_options);
my ($smtp_authuser, $smtp_encryption, $smtp_ssl_cert_path);
+my ($smtp_ssl_client_cert, $smtp_ssl_client_key);
my ($batch_size, $relogin_delay);
my ($identity, $aliasfiletype, @alias_files, $smtp_domain, $smtp_auth);
my ($imap_sent_folder);
@@ -350,6 +354,8 @@ sub do_edit {
my %config_path_settings = (
"aliasesfile" => \@alias_files,
"smtpsslcertpath" => \$smtp_ssl_cert_path,
+ "smtpsslclientcert" => \$smtp_ssl_client_cert,
+ "smtpsslclientkey" => \$smtp_ssl_client_key,
"mailmap.file" => \$mailmap_file,
"mailmap.blob" => \$mailmap_blob,
);
@@ -531,6 +537,8 @@ sub config_regexp {
"smtp-ssl" => sub { $smtp_encryption = 'ssl' },
"smtp-encryption=s" => \$smtp_encryption,
"smtp-ssl-cert-path=s" => \$smtp_ssl_cert_path,
+ "smtp-ssl-client-cert=s" => \$smtp_ssl_client_cert,
+ "smtp-ssl-client-key=s" => \$smtp_ssl_client_key,
"smtp-debug:i" => \$debug_net_smtp,
"smtp-domain:s" => \$smtp_domain,
"smtp-auth=s" => \$smtp_auth,
@@ -1520,6 +1528,8 @@ sub handle_smtp_error {
}
sub ssl_verify_params {
+ my %ret = ();
+
eval {
require IO::Socket::SSL;
IO::Socket::SSL->import(qw/SSL_VERIFY_PEER SSL_VERIFY_NONE/);
@@ -1531,20 +1541,36 @@ sub ssl_verify_params {
if (!defined $smtp_ssl_cert_path) {
# use the OpenSSL defaults
- return (SSL_verify_mode => SSL_VERIFY_PEER());
+ $ret{SSL_verify_mode} = SSL_VERIFY_PEER();
+ }
+ else {
+ if ($smtp_ssl_cert_path eq "") {
+ $ret{SSL_verify_mode} = SSL_VERIFY_NONE();
+ } elsif (-d $smtp_ssl_cert_path) {
+ $ret{SSL_verify_mode} = SSL_VERIFY_PEER();
+ $ret{SSL_ca_path} = $smtp_ssl_cert_path;
+ } elsif (-f $smtp_ssl_cert_path) {
+ $ret{SSL_verify_mode} = SSL_VERIFY_PEER();
+ $ret{SSL_ca_file} = $smtp_ssl_cert_path;
+ } else {
+ die sprintf(__("CA path \"%s\" does not exist"), $smtp_ssl_cert_path);
+ }
}
- if ($smtp_ssl_cert_path eq "") {
- return (SSL_verify_mode => SSL_VERIFY_NONE());
- } elsif (-d $smtp_ssl_cert_path) {
- return (SSL_verify_mode => SSL_VERIFY_PEER(),
- SSL_ca_path => $smtp_ssl_cert_path);
- } elsif (-f $smtp_ssl_cert_path) {
- return (SSL_verify_mode => SSL_VERIFY_PEER(),
- SSL_ca_file => $smtp_ssl_cert_path);
- } else {
- die sprintf(__("CA path \"%s\" does not exist"), $smtp_ssl_cert_path);
+ if (defined $smtp_ssl_client_cert) {
+ # The cert could be in PKCS12 format, which can store both cert and key
+ $ret{SSL_cert_file} = $smtp_ssl_client_cert;
+ $ret{SSL_use_cert} = 1;
}
+ if (defined $smtp_ssl_client_key) {
+ if (!defined $smtp_ssl_client_cert) {
+ # doesn't make sense to use a client key only
+ die sprintf(__("Only client key \"%s\" specified"), $smtp_ssl_client_key);
+ }
+ $ret{SSL_key_file} = $smtp_ssl_client_key;
+ }
+
+ return %ret;
}
sub file_name_is_absolute {
--
2.53.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-02-20 7:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1211196126-7442-1-git-send-email-tspink@gmail.com>
[not found] ` <7b9198260805200606u6ebc2681o8af7a8eebc1cb96@mail.gmail.com>
[not found] ` <20080520134306.GA28946@ZenIV.linux.org.uk>
[not found] ` <20080520135732.GA30349@infradead.org>
[not found] ` <20260218-goldrausch-hochmoderne-2b96018fbe5b@brauner>
[not found] ` <aZakzr_QAY6a-dlB@infradead.org>
[not found] ` <20260219-galaxie-sensibel-b6d27e60d524@brauner>
[not found] ` <20260219-kavaliersdelikt-ansatz-9bdd1aa77326@brauner>
2026-02-20 5:43 ` [RFC PATCH] Introduce filesystem type tracking David Timber
2026-02-20 7:52 ` [PATCH] send-mail: add client certificate options David Timber
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox