Dnia 18.03.2026 o godz. 17:13:06 Pascal von Ow via Postfix-users pisze: > Am I right, that in the future you will no longer be able to use public ssl > certificates (because they lack the "Client Authentication" EKU) if you use > a policy service with ccert_*" attributes or configuration depending > on smtpd_tls_ask_ccert/smtpd_tls_req_ccert? > > If I increase the TLS logging I still see the information logged, so it > must be there but I can not use it in the policy. Is there any alternative > to check the certificate used for TLS if its lacking the client > authentication EKU?
If you are using - or plan to use - certificates for client authentication, then the only reliable method is issuing the certificates to the clients yourself. It was always the only recommended method. Certificates issued by public CAs for use with web servers are not suitable for client authentication, as usually the only thing that is checked when issuing such certificate is the server domain. You may consider accepting *personal* (not server) certificates issued by government-approved CAs in some countries for purpose of eg. electronic signatures that are legally binding equally to a paper signature on document (it is called "qualified certificate" here in Poland) - because when they are issued, the actual identity of the person is checked. But I personally think it would be too much hassle, especially because these certificates are usually stored on hardware crypto cards (often it is the official personal ID card that you use as a document that identifies you). If you want *your* users to authenticate with certificates, issue them yourself. -- Regards, Jaroslaw Rafa [email protected] -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
