On Wed, Jun 10, 2015, at 08:15 PM, Viktor Dukhovni wrote:
> You should not need that. You can safely replace "smtpd_tls_req_ccert"
> with "smtpd_tls_ask_ccert". Clients that don't present a certificate
> will be denied access anyway.
> Also IIRC your logging reported
> "Trusted" client connections, so trust path verification was working anyway.
>
Yes, I've the now usual
... Trusted TLS connection established ...
in logs.
> I would set that to "no" (safer) and avoid "req_ccert".
Switch to
...
-o smtpd_tls_ask_ccert=yes
-o smtpd_tls_req_ccert=no
-o tls_append_default_CA=no
does work as promised. I was surprised that it does; simply means I don't
understand the 'flow' well. Back to the docs.
> Likely some other change made things work.
Yes, there's that. As I read, it's likley.
Many moving parts, atm ...
Thanks.
