I'm not at the point where I want to verify certs and reject mail, because the mail must go through! However I would like at least for postfix to request the cert. (Forgive my terminology here if I am not phrasing this properly.) Basically I would just eyeball the header and look at the cert request on a case by case basis.
Here is a part of an email header from an email that I sent myself (sanitized to stay off google) ---------------- Received: from mydomain.com (unknown [myipaddress]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by www.example.com (Postfix) with ESMTPSA id 1604469A2A for <m...@mydomain.com>; Fri, 22 Dec 2017 09:01:13 +0000 (UTC) ----------------------- From master.cf, with the emphasis on the last line: -------------------------- submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_tls_ask_ccert=yes ------------------------------------------- From main.cf (sanitized): -------------------------------- # TLS smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.com/privkey.pem smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.com/fullchain.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes #next line experimental smtpd_tls_ask_ccert = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom ---------------------------------- My reasoning here being since I have a real (enough) cert from a CA rather than a self-signed one, I should be able to let the recipient's MTA sniff my cert. I suppose if this is dumb I'm going to find out. ;-)
