On Tue, Dec 20, 2011 at 10:24:04AM +0100, lst_ho...@kwsoft.de wrote:
> As far as I understand you have to list the complete chain but only
> your sub-CA to get it working.
This is not the case:
http://www.postfix.org/TLS_README.html#server_access
Allow the remote SMTP client request if the client certificate
passes trust chain verification. Useful with private-label
CAs that only issue certificates to trusted clients (and
not otherwise).
Trust chain verification succeeds when the *root* CA is trusted, and
the client correctly provides the requisite trust chain, or perhaps
the local configuration provides the missing intermediate CA certs,
but this is neither expected nor required.
Postfix client certs are typically trusted by fingerprint (if you
issued the certs, you should have copies of them, so there is no
benefit from any of the CA authority bits, just list the cert
fingerprints in an access list).
If you want to trust some CA to imply relay rights rather than just
an identity mapping (this is unwise I think, it is not a CAs job
to entitle the bearer to any services, rather the CA just asserts
a key to identity binding) then it needs to be a dedicated private
root CA that just issues "right to relay email" certs.
--
Viktor.
