On Mon, Aug 26, 2013 at 12:04:28PM +0200, Sebastian Wiesinger wrote:
> > It may be overkill, but it should work. I am afraid the best path
> > forward is for GMX to debug this with their client software.
>
> Yeah I'm not holding my breath for that.
Send them (postmaster@) a pointer to this thread, over time they'll
have similar problems with more sites.
> Is there a way to exclude the
> web.de/GMX mailservers from the EC certificate? Let postfix always
> use the other certificate for them?
Only by redirecting their connections to a different port via NAT.
The Postfix SMTP server has very minimal client-specific TLS policy:
- You can disable STARTTLS support for a set of clients.
smtpd_discard_ehlo_keyword_address_maps
- You can do access control based on client certificates
smtpd_tls_ask_ccert
permit_tls_clientcerts
check_ccert_access
One of the main problems is that while the client knows who the
server is (it chose to connect there), the server has little idea
who the client is (IP address ranges change over time).
Policies intended to improve interoperability with legitimate clients
(that don't lie about their identity) could in principle do lookups
based on the client EHLO name. Postfix does not yet have such features.
--
Viktor.
