* Viktor Dukhovni <postfix-users@postfix.org>: > On Tue, Jul 29, 2014 at 02:54:29PM +0200, Patrick Ben Koetter wrote: > > > IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs, > > because there are enough MTAs out there unable to handle client certificate > > requests from a server they connect to. > > > > It that is true, would it be possible to make smtpd_tls_ask_ccert client > > dependent e.g. request a ccert when the client sends e.g. a specific HELO > > hostname? > > > > mail.example.com ask_ccert > > .example.net ask_ccert > > Obviously this would be a new feature. With the existing Postfix > you can run an SMTP service that requests client certificates on > a different IP address or port, provided the clients in question > are willing to configure a manual transport entry for your domain. > > As for the new feature, it is possible in principle. How important > is this? What value do you expect to get from said client > certificates?
I would want to identify clients by their certificate fingerprint. Either in a policy service or in a Postfix map. I am thinking smtpd_tls_policy_maps. > > -- > Viktor. -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
