> On Apr 18, 2019, at 12:01 PM, Wietse Venema <wie...@porcupine.org> wrote:
>
> Eventually there will be a postfix-xxxx-nonprod release that combines
> all the code (jay) and none of the guarantees (bleh).
>
> I am not convinced that stuffing arbitrary PKI identities into a
> SASL identity is necessarily a good idea. Maybe it is safer to solve
> this problem without PKI-to-SASL cross-talk.
I would expect the mapping to be indirect. That is, a table lookup
key of either the client public key fingerprint to a SASL name (roughly
what we have now, but with an explicit RHS indicating the desired SASL
identity), or else the client's subject name in a standard (likely
RFC2254) form, again mapped to the desired identity, provided the
client certificate is from a trusted PKI issuer.
--
Viktor.
