On Wed, Jan 29, 2014 at 03:15:44PM +0100, Patrik B?t wrote:
> The problem though, is that a customer wants to send it mutual
> to us (eg. mta <-> mta), but we can always setup another transport for
> that and tell the customers customer to send mail to that one instead :)
If they are not using your system as an outbound relay, but rather
sending email to your domain, client certificates are a pointless
farce.
If they are using your system to relay, then indeed configure a
dedicated TCP endpoint that is separate from your inbound MX service
and use their client certificate for access control.
Client certificates not used for access control are pointless.
Perhaps they are trying to simulate S/MIME with TLS, sadly that
simply does not work.
--
Viktor.
