Viktor Dukhovni via Postfix-users:
> > > The best solution is [to] configure client certs *sparingly*, only
> > > for transports dedicated to destinations that definitely need the
> > > client certs, and not otherwise.
> >
> > Why? I feel a little like I was feeling in the early 2000s when we had
> > to justify offering STARTTLS on the server side. IMHO TLS should be
> > default on both ends and any service not complying should need to
> > explain why.
>
> Client certificates serve no purpose unless the server requests them and
> knows what to do with them. That's pretty much just:
>
> - submission servers that use client certs instead of passwords.
> - dedicated mail store servers that restrict delivery (or skip
> spam filters, ...) to just authorised sources.
In other words, where the server expects to know the client.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
