On Sun, May 16, 2010 at 6:03 AM, Hadmut Danisch <had...@danisch.de> wrote: > On 16.05.2010 01:24, zhong ming wu wrote: >> On Sat, May 15, 2010 at 6:52 PM, Hadmut Danisch <had...@danisch.de> wrote: >>> I am running a postfix server which allows relaying and using particular >>> sender domains for some people, but not for the public. The authorised >>> users have to authnticate either with SASL or TLS client certificates. >>> Since the server works also as a recipient, TLS is not enforced for >>> incoming emails. >>> >> what is >> >> postconf -n > > Which parts of the output would you need? (The configuration is > distributed over several lookup tables and contains details not to be > released to the public) > > The general question is: Why does an expired certificate fulfill the > permit_tls_clientcerts clause?
Unless smtpd_tls_req_ccert = yes server will not enforce the validity for the cert My guess is that if you use the same server instance for both as public mx host and as relay server authenticated using tls certificate, then what you want isn't possible since smtpd_tls_req_ccert should not be required for public mx part of your server. permit_tls_clientcert is used in conjunction with relay_clientcerts and you should be removing fp of expired certs from that map anyway. Part of postfix implementation of TLS client side isn't conventional; for example the way you revoke a client certificate is deleting the fp from a lookup map but not with a CRL.
