I'm using a policy service in my postfix installation, where I check some attributes like the subject or issuer of a certificate before granting access. The documentation states this: " The "ccert_*" attributes (Postfix 2.2 and later) specify information about how the client was authenticated via TLS. These attributes are empty in case of no certificate authentication."
The Google Chrome team has decided to stop accepting the “Client Authentication” usage purpose in the Extended Key Usage (EKU) field of SSL/TLS server certificates as of June 15, 2026 (see Google Chrome Root Program Policy)—only “Server Authentication” will be permitted in the future. Most of the public CAs and also Let's encrypt will stop issuing certificates with this extension. Am I right, that in the future you will no longer be able to use public ssl certificates (because they lack the "Client Authentication" EKU) if you use a policy service with ccert_*" attributes or configuration depending on smtpd_tls_ask_ccert/smtpd_tls_req_ccert? If I increase the TLS logging I still see the information logged, so it must be there but I can not use it in the policy. Is there any alternative to check the certificate used for TLS if its lacking the client authentication EKU?
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
