On Thu, Oct 13, 2011 at 07:11:27PM -0500, Noel Jones wrote:
> Typically these would be set to the same cert & keys as used by smtpd.
My recommendation is to leave the client key/cert settings empty.
These should only be set for transports used with TLS client auth
by mutual arrangement with a destination server that requires TLS
client auth.
> > I'd only want to verify them if they are actually used.
>
> With opportunistic TLS there is no need to verify client
> certificates -- you're willing to accept an unencrypted connection,
> so it doesn't matter if an encrypted connection uses an invalid
> certificate.
No opportunity either, since it is best to not request client certs,
and thus none will ever be sent.
> Also, some clients choke on a certificate request, so
> it improves interoperability to just ignore them.
To not ask for them, and thus none will ever be sent.
> The only place you should really care about encryption is if your
> own clients submit SASL authenticated mail [...]
Well protection against passive wiretaps can be helpful in many
cases. So I would not discourage the use of opportunistic outbound
TLS.
--
Viktor.
