Hello List, is there a clean way to optionally present a client certificate to a Postfix MX configured with
smtpd_tls_received_header=yes smtpd_tls_ask_ccert = yes smtpd_tls_CApath=/etc/ssl/certs without breaking the use of TLS or even the mail delivery to MXes that are verifying presented client certificates against a local CA, and rejecting anything else. I don't want to configure them all explicitly in /etc/postfix/transport. My first idea was: /etc/postfix/master.cf: smtp_ccert unix - - y - - smtp -o syslog_name=postfix/$service_name -o smtp_tls_cert_file=/etc/postfix/ssl/crt/server.crt -o smtp_tls_key_file=/etc/postfix/ssl/key/server.key /etc/postfix/main.cf: default_transport = smtp_ccert: fallback_transport = smtp: I worried a bit about penalty times in greylisting scenaries since I expected this to retry to fast, and the greylisting daemon not to notice the difference between the attempts with and without greylisting. But postfix isn't even trying with the fallback transport in this case. fallback_relay and smtp_fallback_relay shows the same behavior (isn't used). The idea behind this is to have a fully verified transport trust chain within the header when all postfix servers on the transport do this. Any ideas? Kind regards Lars -- Lars Kollstedt Telefon: +49 6151 16-71027 E-Mail: l...@man-da.de man-da.de GmbH Dolivostraße 11 64293 Darmstadt Sitz der Gesellschaft: Darmstadt Amtsgericht Darmstadt, HRB 9484 Geschäftsführer: Andreas Ebert