Andy Bradford <[email protected]> wrote: > Thus said Michael Richardson on Thu, 05 Jun 2025 15:55:38 -0400:
>> > Do we support client certificate submission during TLS > negotation?
>> No. If this is what you want ... well, I'm a little > surprised, as I
>> work in an environment that makes heavy use of > TLS client
>> certificates and as far as I know this is never done > for SMTP (web
>> servers, yes, but SMTP, no). I would have to look > at what it
>>
>> Yes, it never took off, but I've been using this for 25+ years.
> Nice to find a fellow traveller who still knows what SMTPS on port 465
> is and actually still uses it.
Ha. I do it on port 26 on my relay, because port-25 became blocked, and port
465 was not yet a thing when I started. I probably should switch.
I'm not sure if postfix can do SMTPS when it sends; probably it's enough to
just tell it
relayhost = somehost.example.net:465
??
I used to do this with a CA signed certificate, but when the certificate
expired, and I couldn't earily resign the certificate (because I was away), I
just put my fingerprint into:
relay_clientcerts = hash:/etc/postfix/relayclients
what does *not* work, is that my relay does not consider the emails to be
"local", so they do not get DKIM signed. Perhaps going through 465 would
solve that problem?
When I'm out-of-office, but not out-of-town, I mosh/emacsclient to home
office, so I don't have this problem.
signature.asc
Description: PGP signature
