Patrick Ben Koetter:
> IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs,
> because there are enough MTAs out there unable to handle client certificate
> requests from a server they connect to.
Is this still true? Assuming that you are referring to MTA-MTA
communication, not end-user MUAs (such as old Netscape clients that
should have fallen to dust by now).
> It that is true, would it be possible to make smtpd_tls_ask_ccert client
> dependent e.g. request a ccert when the client sends e.g. a specific HELO
> hostname?
>
> mail.example.com ask_ccert
> .example.net ask_ccert
Alternatively, allow a richer input to smtpd_tls_ask_ccert besides
yes and no. For example, a (match)list.
Wietse
