>>>>> "TF" == Tony Finch <[email protected]> writes:
TF> Client certificates? I thought they were nonexistent for mail to MXs.
Yes. An example from lists.debian.org:
Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "bendel.debian.org", Issuer "ca.debian.org" (verified OK))
by pao.uu.jhcloos.net (Postfix) with ESMTPS id 1CAFE23CC56
for <[email protected]>; Tue, 8 Jan 2013 06:22:46 +0000 (UTC)
and from mail from a goog group:
Received: from mail-ie0-f191.google.com (mail-ie0-f191.google.com
[209.85.223.191])
(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
(Client CN "smtp.gmail.com", Issuer "Google Internet Authority"
(verified OK))
by pao.uu.jhcloos.net (Postfix) with ESMTPS id 3D04E23C010
for <[email protected]>; Thu, 10 Jan 2013 07:04:25 +0000 (UTC)
OTOH, mail from a list at alioth.debian looks like:
Received: from wagner.debian.org (wagner.debian.org [217.196.43.132])
(using TLSv1 with cipher AES256-SHA (256/256 bits))
(Client did not present a certificate)
by pao.uu.jhcloos.net (Postfix) with ESMTPS id 9498E23C034
for <[email protected]>; Thu, 10 Jan 2013 07:58:00 +0000 (UTC)
I have pf configured to request but not require a cert.
Primarily just to see what they do.
TF> ... I turned on an option for the server to request a client
TF> certificate. ... This was supposed to be optional, but many clients
TF> treated it as a demand and aborted the connection, which was not
TF> what I wanted.
I've not seen any such issue since I turned on the requests.
I just added smtpd_tls_ask_ccert = yes to my postfix main.cf.
-JimC
--
James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
