BlueStar88:
> for quite some while. I can see successful chain walks on inbound
> connections resulting in "Trusted TLS connection established from".
"Trusted" verifies the CA chain, not the client DNS name.
With HTTP clients, the certificate name check confirms that the
client has a TLS connection to the server with a specific DNS name.
An SMTP server rarely needs confirmation that it has a TLS connection
from a client with a specific DNS name. This is so rare that it is
not implemented in Postfix.
Instead, we recommend that the server looks whether the client
certificate is issued by a trusted CA (permit_tls_clientcerts), or
whether the certificate or public key has a particular fingerprint
(check_ccert_access).
> I think the server checks, if the peer hostname fits the CN.
It does not.
Wietse
