All, Using sendmail, I've been asking for client certs for a long time. I've always figured "if you configure your sendmail with both a client cert and a server cert, you might as well use it, after all, you paid for the thing". (This may have been the sunk-cost fallacy back when I was paying for an SSL cert for my FQDN, even though I wasn't running any web services onit.
Postfix does not ask for client certs by default. Sendmail does by default, if you configure a CAFile. Doing so is documented as one of the mandatory settings for StartTLS to work at all in sendmail. It seems at least a few people are putting the entirety of their browser trust chain into that file, thus saying "hey, send pretty much any commercially-signed cert you have configured on your mail server". I can find no RFCs, etc, that specifically say whether this is recommended or not recommended behavior. I know the authors also move in the OpenSSL community, and probably in the standards community as well. Are you aware of anything (internet drafts, BCP documents, etc). (Is this better asked on mailop, perhaps?) -Dan
