Thanks for pointing, missed this option. Then I retract my point, it should possible to replace SASL with certs.IIRC I've implemented client authc based on cert fingerprint maps back in winter '99 (based on Lutz postfix-tls patches). So yes, it's feasible provided you issue personal client certs to all your users.http://www.postfix.org/postconf.5.html#relay_clientcerts
-- With Best Regards, Marat Khalili
