On Wed, Mar 27, 2019 at 04:31:33PM +0100, Emmanuel Fusté wrote:
> The goal is to be as transparent as possible :
> - if the client is not found in the relay_clientcerts, act as usual
> - if the client is found in the relay_clientcerts, no longer announce
> AUTH support, the auth and identity mapping is already done by the
> relay_clientcerts map
I believe you're asking Postfix to (when configured to do that)
simulate "AUTH EXTERNAL" when the client has presented a client
certificate, but proceeds from "EHLO" to "MAIL FROM" with no
intevening explicit "AUTH".
The simulated "AUTH EXTERNAL" would never "fail" (5XX), it either
yields an authenticated user or proceeds with the user unauthenticated,
and acts accordingly.
Does that sound right?
--
Viktor.
