Viktor Dukhovni via Postfix-users: > > > The best solution is [to] configure client certs *sparingly*, only > > > for transports dedicated to destinations that definitely need the > > > client certs, and not otherwise. > > > > Why? I feel a little like I was feeling in the early 2000s when we had > > to justify offering STARTTLS on the server side. IMHO TLS should be > > default on both ends and any service not complying should need to > > explain why. > > Client certificates serve no purpose unless the server requests them and > knows what to do with them. That's pretty much just: > > - submission servers that use client certs instead of passwords. > - dedicated mail store servers that restrict delivery (or skip > spam filters, ...) to just authorised sources.
In other words, where the server expects to know the client. Wietse _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org