Sent from my Android device.
On Feb 5, 2017 5:15 PM, "Wietse Venema" <wie...@porcupine.org> wrote:
The answer is simple: because no Postfix access feature currently
requires the info that you're referring to. Lack of demand.
More likely is that the a site allows access based on client
certificates from one trusted signer and in that case, why would
one need the complexity of all the possible names in a certificate?
Here is one valid use case, the mail service operator doesn't manage or
participate in the certificate issuance itself but he expects that his
users get their certificates from a commercial CA, e.g. Symantec (which he
trusts for validating emails and including them in subject DNs), but at the
same time, this mail service operator doesn't want to allow authentication
for all of the Symantec issued certificates but only some, e.g. the ones
with a given domain in the "emailaddress" subject attribute. In this case
the policy server would need the "emailaddress" attribute to decide.
But I would understand if this is not a regular use case so I ask if there
are some official guidelines on forking Postfix, for example, to modify
policy access client code but keeping as easy as possible to merge upstream
changes when they are available.
Wietse
