Marat Khalili wrote: > On 15/08/17 15:55, Tom Browder wrote: >> (2) use TLS client certs for the authentication of the relay clients, and > > I see problem with this part. Nothing in docs says postfix uses or at least > properly > traces and logs client CNs from presented certificates. Therefore your system > would > resemble one-account-for-all configuration. Depending on requirements it > might still > work for you, but basically it'd be an open relay put into a TLS-protected > network > (which you can frankly organize even without postfix help).
IIRC I've implemented client authc based on cert fingerprint maps back in winter '99 (based on Lutz postfix-tls patches). So yes, it's feasible provided you issue personal client certs to all your users. http://www.postfix.org/postconf.5.html#relay_clientcerts Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
