On Wed, Nov 16, 2011 at 01:27:29PM +0100, gmx Ralf Hauser wrote:
> Any hints how to do a client certificate authentication TLS-handshake
> between IBM's v8.51 as the client and postfix/openssl on the server side
> would be highly appreciated.
If you want to validate client certs, you have to ask for them, by
seting "smtpd_tls_ask_ccert" (IIRC). The DNs of the CAs listed in
"smtpd_tls_CAfile" are sent to the client as a list of CAs by which
the client's cert if preferrably signed. The server's cert and trust
chain need to be acceptable to the client. Generally, the leaf server
cert and all the signing intermediate certs as stored in
"smtpd_tls_cert_file" with the leaf firt, then the signing CA, then
the CA that signed the signing CA, ...
Finally, the client's SMTP server needs to support presenting client
certs, to not object to your server cert and to be sufficiently bug free.
--
Viktor.
