Viktor Dukhovni:
> > > It that is true, would it be possible to make smtpd_tls_ask_ccert client
> > > dependent e.g. request a ccert when the client sends e.g. a specific HELO
> > > hostname?
> > >
> > > mail.example.com ask_ccert
> > > .example.net ask_ccert
> >
> > Alternatively, allow a richer input to smtpd_tls_ask_ccert besides
> > yes and no. For example, a (match)list.
>
> That was also my thinking, but I was expecting a new parameter,
>
> smtpd_tls_ask_ccert_helo_names = <domain match list>
>
> Turning "smtpd_tls_ask_ccert" from a boolean to a matchlist, requires
> a bit of special gymnastics to deal with "yes" and "no", would that
> be better?
smtpd_tls_ask_ccert_helo_names does not generalize. We'd also need
smtpd_tls_ask_ccert_client_names and smtpd_tls_ask_ccert_client_addrs
and so on. Instead of introducing code that solves only one user-visible
problem, introduce infrastructure that can be reused in other contexts.
Wietse
