On Sat, Apr 11, 2026 at 11:01:33AM -0400, Wietse Venema via Postfix-users wrote:
> 20260323
>
> Feature: specify "tls_trust_server_ccerts = yes" to trust
> client certificates whose extended key usage (EKU) lists
> only serverAuth and not clientAuth as valid TLS client
> certificates. This parameter is used only in the Postfix
> SMTP server, when client certificates are requested via
> smtpd_tls_ask_ccert or smtpd_tls_req_ccert. It is a workaround
> for policy changes at the major WebPKI CAs that preclude
> the issuance of certificates with a clientAuth EKU. Viktor
> Dukhovni. Files: proto/postconf.proto, global/mail_params.h,
> tls/tls_misc.c, tls/tls_server.c.
But do read the parameter documentation, often the right solution is to
not trust CA-issued client certs at all.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
