On Wed, Mar 11, 2020 at 10:46:03AM -0400, Wietse Venema wrote:
> > > I think Postfix doc could be improved, mentioning "smtpd_tls_ask_ccert"
> > > here http://www.postfix.org/postconf.5.html#permit_tls_clientcerts would
> > > have been helpful.
> >
> > Feel free to post a patch. The relevant source file is
> > "proto/postconf.proto", from which both the HTML and the manpage are
> > machine-generated. You can find the source at either:
> >
> > http://www.postfix.org/download.html
> >
> > or clone it via git from:
> >
> > https://github.com/vdukhovni/postfix
> >
> > In that repository all the upstream files are in an additional top-level
> > "postfix" sub-directory, so the file in question is in
> > postfix/proto/postconf.proto.
>
> I added a warning to the check_ccert_access implementation, when
> there is no client certificate, and tlsproxy_tls_ask_ccert is
> disabled.
>
> Also added a hint to the check_ccert_access documentation.
I assume that also covers permit_tls_clientcerts, used by the OP,
and even "permit_tls_all_clientcerts".
--
Viktor.
