On Thu, Mar 19, 2026 at 10:06:14AM +0100, P v via Postfix-users wrote:
> I use the public key fingerprints at the moment, but this is no longer
> feasable with the shorter certificate lifetimes, so I was exploring other
> methods. I see that the approach with the ccert_* attributes is not
> something with a future.
Can you take a moment to explain your use-case? Why do you need to
validate CA-issued client certificates whose underlying public keys
change without notice and outside your control?
A typical client certificate scenario is one in which you operate some
remotely hosted systems and they need to use your submission services to
relay outbound mail through the "home" server, you'd provision a static
keypair on the remote end, and a self-signed certificate or even just a
raw public key is sufficient to authenticate the client against a
suitable access(5) table on your server (check_ccert_access).
How is your situation different, and why are volatile CA-issued
certificates required and appropriate?
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
