When smtpd is configured to ask for client certificates and a CAfile is configured, then the X509 names of all the CA certificates will be sent in the CertificateRequest. That's correct behaviour as the names in a CertificateRequest are intended to guide certificate selection:
http://tools.ietf.org/html/rfc5246#section-7.4.4 However, when CAfile consists of a complete list of public CAs, as seems quite common, the guidance is rather superfluous and the CertificateRequest is huge. For example, try: $ openssl s_client -tls1 -connect mx4-sjl.mta.salesforce.com:25 -starttls smtp ... SSL handshake has read 23311 bytes and written 332 bytes A 23KB TLS handshake was probably not what was intended by the administrator. The attached patch (and I don't know what I'm doing when it comes to patching Postfix - it's mostly illustrative) disables sending the CA list by default and adds an option (smtpd_tls_send_cas) to enable. Although this is a change of behaviour, I think that it's the right thing to do in most cases. Cheers AGL -- Adam Langley a...@imperialviolet.org http://www.imperialviolet.org
patch
Description: Binary data
