On Thu, Oct 13, 2011 at 07:11:27PM -0500, Noel Jones wrote:

> Typically these would be set to the same cert & keys as used by smtpd.

My recommendation is to leave the client key/cert settings empty.
These should only be set for transports used with TLS client auth
by mutual arrangement with a destination server that requires TLS
client auth.

> > I'd only want to verify them if they are actually used.
> 
> With opportunistic TLS there is no need to verify client
> certificates -- you're willing to accept an unencrypted connection,
> so it doesn't matter if an encrypted connection uses an invalid
> certificate.

No opportunity either, since it is best to not request client certs,
and thus none will ever be sent.

>  Also, some clients choke on a certificate request, so
> it improves interoperability to just ignore them.

To not ask for them, and thus none will ever be sent.

> The only place you should really care about encryption is if your
> own clients submit SASL authenticated mail [...]

Well protection against passive wiretaps can be helpful in many
cases. So I would not discourage the use of opportunistic outbound
TLS.

-- 
        Viktor.

Reply via email to