On Fri, Jun 24, 2016 at 04:10:40PM +0100, Rob Maidment wrote:
> I could set smtpd_tls_security_level to "may" instead and then verify
> that TLS has been used where it is required (e.g. using a policy
> service), however that means Postfix will not validate the client
> certificate right? (because the smtpd_tls_req_ccert option is ignored
> when the security level is "may")
If you do not require TLS, you essentially do not require client
certs, so the correct feature is "smtpd_tls_ask_ccert", not
"smtpd_tls_req_ccert". If a client certificate is presented, it
its validity is evaluated either way, and is available to policy
servers.
Specifically, the subject CN and issuer CN are only available
when the client cert is "trusted" as with "req_ccert".
--
Viktor.
