Demi Marie Obenour:
> >> It seems that There are knobs that let you list *individual certs* for
> >> allowing trusted relaying, but not *individual ca's*.
> >>
> >> Is there any way around this?
> >
> > Yes: handle that traffic with a dedicated smtpd instance that only
> > trusts your internal root.
> >
> > Postfix check_ccert_access currently supports matches based on
> > certificate fingerprint and public key fingerprint. The other
> > available attributes, issuer name and subject name, are too soft
> > for security decisions.
>
> Would it be possible to support trusting based on subject alt name?
> I would like a machine with a certificate for a.example.com to send
> mail from a.example.com domains.
What is the trust model here?
Wietse
