On Mon, May 10, 2010 at 12:52:55PM -0500, Dave O'Larte wrote:
> relay_clientcerts = hash:/etc/postfix/relay_client_certs
> smtpd_client_restrictions = permit_tls_clientcerts, warn_if_reject,
> reject
Please see:
http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/postconf.5.html#smtpd_client_restrictions
I am guessing that you think a "permit" in smtpd_client_restrictions
should mean the mail is accepted, no matter what. This is not so.
Every other restriction stage must resolve to permit or DUNNO. Of
particular importance is smtpd_recipient_restrictions, which controls
relaying.
> -- end of postfinger output --
> Postfix logfile contents from a client connect:
> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]:
> localhost[127.0.0.1]: certificate verification depth=1 verify=1
> subject=/C=US/ST=aaaaaa/O=aaaaaa/OU=aaaaaa/CN=aaaaaa/emailAddress=
> a...@aaaaaa.com
> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]:
> localhost[127.0.0.1]: certificate verification depth=0 verify=1
> subject=/C=US/ST=aaaaaa/O=aaaaaa/OU=aaaaaa/CN=
> aaa-nnn-nn-nnn-nnn.aaaaaa-n.aaaaaaaaa.com/emailaddress=a...@aaaaaa.com
That looks verified.
> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: Trusted TLS
> connection established from localhost[127.0.0.1]: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
> May 10 17:33:29 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: disconnect
> from localhost[127.0.0.1]
"Trusted connection" means it is verified. There is no reject_warning
among what you posted.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
