> > would take to add that. I imagine there are a few bits of magic you > > need to tell the TLS library where the certificate and private key are > > located. I have a question: do you specify the SASL EXTERNAL mechanism > > if you are doing this? > >Not with postfix. It's been a thing for decades. >No SASL. It's not using submissions port or SMTP AUTH.
Fair enough; I'm not saying that the protocol doesn't exist, it just seems like it's extremely uncommon. BTW, does that require the TLS client EKU in the client certificate? It seems like that's going away from certificates issued by most public CAs, at least ones that want to be part of the Chrome root certificate program. Also, I do have to ask why you don't use something like SASL, which has much wider client support (and I know postfix supports that). --Ken
