On Fri, Jan 07, 2022 at 12:23:16PM +1100, raf wrote:
> > I don't think that requiring client certs is a best practice. It
> > precludes concurrent use of alternative authentication methods. Just
> > asking is generally enough
>
> Thanks. But even so, it should probably still only be
> a -o override in master.cf rather than in main.cf.
Yes, definitely limit cert requests to the submission ports. Because:
* Avoids sending potentially long lists of CA subject DNs to
every remote MTA, possibly exceeding various buffer sizes for the
TLS server hello or TLS 1.3 equivalent.
* Avoids potential (if unlikely) interoperability issues if a remote
MTA treats the request as a requirement to present a client
certificate it does not possess.
--
Viktor.
