Dan Mahoney:
> All,
>
> Using sendmail, I've been asking for client certs for a long time.
> I've always figured "if you configure your sendmail with both a
> client cert and a server cert, you might as well use it, after
> all, you paid for the thing". (This may have been the sunk-cost
> fallacy back when I was paying for an SSL cert for my FQDN, even
> though I wasn't running any web services onit.
>
> Postfix does not ask for client certs by default. Sendmail does
> by default, if you configure a CAFile. Doing so is documented as
> one of the mandatory settings for StartTLS to work at all in
> sendmail.
This may be turned on in Postfix with "smtpd_tls_ask_ccert = yes".
The default goead back to 2005 when Postfix TLS support was added.
Things have changed, but changing this should be tested over a
longer time with a range of server configurations (single key,
multi key) and client implementations.
Wietse
