On Wed, Jan 05, 2022 at 11:09:56PM -0500, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Thu, Jan 06, 2022 at 02:09:45PM +1100, raf wrote: > > > > is on - so it is asking for client certificates? > > > But that is really not authetication, if I understand things. > > > > It's asking for them (from all clients, even for remote > > mail servers sending you mail which isn't helpful), but > > it's only asking, not requiring. It's better to require > > them for the submission service in master.cf and then > > match the client certificates against a list of known > > fingerprints. > > I don't think that requiring client certs is a best practice. It > precludes concurrent use of alternative authentication methods. Just > asking is generally enough Thanks. But even so, it should probably still only be a -o override in master.cf rather than in main.cf. cheers, raf
