Hi, just a configuration/security question:
I am running a postfix server which allows relaying and using particular sender domains for some people, but not for the public. The authorised users have to authnticate either with SASL or TLS client certificates. Since the server works also as a recipient, TLS is not enforced for incoming emails. So relaying and using local domains as sender domains is restricted with permit_mynetworks, permit_tls_clientcerts, permit_sasl_authenticated. Works as expected. Interestingly, this works even when the client certificate has expired. Although postfix recognizes that it is expired, logs "certificate has expired" and calls it "Untrusted TLS connection established from ", it still grants the rights as if the client had authenticated through TLS. It just verifies the fingerprint. Is that intentional to log expired certificates and declare them as untrusted, but still accept them ? regards Hadmut
