On 3/11/20 3:59 PM, Viktor Dukhovni wrote:
On Wed, Mar 11, 2020 at 10:46:03AM -0400, Wietse Venema wrote:
I think Postfix doc could be improved, mentioning "smtpd_tls_ask_ccert"
here http://www.postfix.org/postconf.5.html#permit_tls_clientcerts would
have been helpful.
Feel free to post a patch. The relevant source file is
"proto/postconf.proto", from which both the HTML and the manpage are
machine-generated. You can find the source at either:
http://www.postfix.org/download.html
or clone it via git from:
https://github.com/vdukhovni/postfix
In that repository all the upstream files are in an additional top-level
"postfix" sub-directory, so the file in question is in
postfix/proto/postconf.proto.
I added a warning to the check_ccert_access implementation, when
there is no client certificate, and tlsproxy_tls_ask_ccert is
disabled.
Also added a hint to the check_ccert_access documentation.
I assume that also covers permit_tls_clientcerts, used by the OP,
and even "permit_tls_all_clientcerts".
Thanks a lot, hopefully nobody else is going to ask the same question
anymore
