viktor,
thank you for pointing me in the right direction.
i started out with
smtpd_tls_ask_ccert = yes
but was irritated about the 'Untrusted TLS connection', b/c the client
established a 'Verified TLS connection' with
smtp_tls_security_level = fingerprint
smtp_tls_fingerprint_digest = sha256
smtp_tls_fingerprint_cert_match = <sha256 fingerprint>
so, to please men with ties, who don't know that an unverfied tls
connection can still be secure, and client access is restricted with
smtpd_client_restrictions = permit_tls_clientcerts, reject
i have to add a CA and signed certificates, to get a 'Verified TLS
connection' on the server side, too. That's the thing i hoped to avoid, b/c
it adds another level of complexity. but so be it.
greetings...
