On Wed, Jun 10, 2015 at 07:44:01PM -0700, PGNd wrote:
> > Check the content with "postmap -q <fingerprint> lmdb:..."
> >
> > > -o smtpd_client_restrictions=
> > > -o smtpd_helo_restrictions=
> > > -o smtpd_sender_restrictions=
> > > -o smtpd_recipient_restrictions=
> > > -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
> > > -o smtpd_data_restrictions=
> > > -o smtpd_end_of_data_restrictions=
> >
> > This looks like "permit_tls_clientcerts" did not match.
>
> It turns out the problem was a missing
>
> -o tls_append_default_CA=yes
You should not need that. You can safely replace "smtpd_tls_req_ccert"
with "smtpd_tls_ask_ccert". Clients that don't present a certificate
will be denied access anyway. Also IIRC your logging reported
"Trusted" client connections, so trust path verification was working
anyway. Likely some other change made things work.
I would set that to "no" (safer) and avoid "req_ccert".
--
Viktor.
