* Florin Andrei <flo...@andrei.myip.org>: > I'm setting up SASL with TLS for remote clients. As an additional > security measure, I would like the server to ask the email clients to > present their client certificates. According to the docs, this is > accomplished with: > > smtpd_tls_ask_ccert = yes > > But there are some ominous warnings about broken MTAs which may have > problems when delivering to Postfix if this option is used. If I > understand correctly, the broken delivery should only occur when > those MTAs attempt to do TLS to Postfix. So, this should not be a > problem for all the regular, unencrypted email I receive normally, is > that right?
Yes. > Also, after enabling this option, I connected to Postfix with a > TLS-enabled email client with all the certificates installed. I saw > this line in the logs: > > Aug 20 22:49:01 server postfix/smtpd[7724]: connect from > unknown[XXX.YYY.ZZZ.KKK] > Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection > from unknown[XXX.YYY.ZZZ.KKK] > Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection > established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher > AES128-SHA (128/128 bits) > > Why does it say "Anonymous TLS connection"? Because the TLS certificate is not signed by a trusted CA. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
