On Tue, Apr 02, 2019 at 07:15:58PM +0200, Francesc Peñalvez wrote:
> smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
> permit_tls_all_clientcerts permit_sasl_authenticated
> permit_auth_destination
> check_client_access hash:/etc/postfix/access
The "permit_tls_all_clientcerts" here is currently a NOOP, given
the rest of your configuration, but is a bad idea, and should be
remove.
> smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
> smtpd_tls_CApath = /etc/ssl/certs
Your authorized CAs likely include the usual panoply of public CAs,
and you should not be trusting clients with some random certificate
from any of these.
As luck would have it, you're not configured to request client
certs, hence the "NOOP", but this could change later.
--
Viktor.
