Thanks Wietse, I missed this first time, this must be the walkthrough that Viktor mentioned.
Very useful, I will take a closer look on Monday. Best, Chris On Aug 7, 2021, 15:19, at 15:19, Wietse Venema <wie...@porcupine.org> wrote: >Chris Bamford: >> Hello, >> >> I would like to know how Postfix handles client certificates for >delivery >> i.e. when it makes a remote connection to deliver email. >> >> Is it possible to control the certificate that is used per domain? > >The client certificate is a Postfix SMTP client setting; the >certificate will be used for all email deliveries by that Postfix >SMTP client. > >The following example uses one Postfix SMTP client per sender domain, >each Postfix SMTP client having its own client certificate: > >/etc/postfix/main.cf: > sender_dependent_default_transport_maps = > hash:/etc/postfix/sender_transport > # In case you need a cert for all other deliveries. > # static:/etc/postfix/default-cert/pem > >/etc/postfix/sender_transport: > # Searched by sender email address and @domain. > @example.com smtp-example-com > @example.org smtp-example-org > ... > >/etc/postfix/master.cf: > smtp-example-com .. .. .. .. .. .. .. smtp > -o smtp_tls_cert_file=/etc/postfix/example-com-cert.pem > smtp-example-org .. .. .. .. .. .. .. smtp > -o smtp_tls_cert_file=/etc/postfix/example-org-cert.pem > ... > >To make this more scalable, the Postfix SMTP client would need the >opposite of tls_server_sni_maps, to dynamically choose the client >certificate based on the sender info. > > Wietse
