On Tue, Aug 15, 2017 at 08:28 Marat Khalili <m...@rqc.ru> wrote: > Hello Tom, > > I'm also interested in this question. > > On 15/08/17 15:55, Tom Browder wrote: > > (2) use TLS client certs for the authentication of the relay clients, and > > I see problem with this part. Nothing in docs says postfix uses or at > least properly traces and logs client CNs from presented certificates. > Therefore your system would resemble one-account-for-all configuration. > Depending on requirements it might still work for you, but basically it'd > be an open relay put into a TLS-protected network (which you can frankly > organize even without postfix help). >
Hello, Marat, I don't know about logging (but a good question), but I just now found this line in the "Postfix" book by Kyle Dent which says to me that the TLS-only authentication should be possible [p. 170, first sentence]: "You may want to use client-side certifiicates instead of, ..., other SMTP authentication tecniques." With warmest regards, -Tom
