On Tue, Jul 29, 2014 at 02:54:29PM +0200, Patrick Ben Koetter wrote: > IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs, > because there are enough MTAs out there unable to handle client certificate > requests from a server they connect to. > > It that is true, would it be possible to make smtpd_tls_ask_ccert client > dependent e.g. request a ccert when the client sends e.g. a specific HELO > hostname? > > mail.example.com ask_ccert > .example.net ask_ccert
Obviously this would be a new feature. With the existing Postfix you can run an SMTP service that requests client certificates on a different IP address or port, provided the clients in question are willing to configure a manual transport entry for your domain. As for the new feature, it is possible in principle. How important is this? What value do you expect to get from said client certificates? -- Viktor.