Chris Bamford:
> Hello,
>
> I would like to know how Postfix handles client certificates for delivery
> i.e. when it makes a remote connection to deliver email.
>
> Is it possible to control the certificate that is used per domain?
The client certificate is a Postfix SMTP client setting; the
certificate will be used for all email deliveries by that Postfix
SMTP client.
The following example uses one Postfix SMTP client per sender domain,
each Postfix SMTP client having its own client certificate:
/etc/postfix/main.cf:
sender_dependent_default_transport_maps =
hash:/etc/postfix/sender_transport
# In case you need a cert for all other deliveries.
# static:/etc/postfix/default-cert/pem
/etc/postfix/sender_transport:
# Searched by sender email address and @domain.
@example.com smtp-example-com
@example.org smtp-example-org
...
/etc/postfix/master.cf:
smtp-example-com .. .. .. .. .. .. .. smtp
-o smtp_tls_cert_file=/etc/postfix/example-com-cert.pem
smtp-example-org .. .. .. .. .. .. .. smtp
-o smtp_tls_cert_file=/etc/postfix/example-org-cert.pem
...
To make this more scalable, the Postfix SMTP client would need the
opposite of tls_server_sni_maps, to dynamically choose the client
certificate based on the sender info.
Wietse
