Viktor Dukhovni via Postfix-users <[email protected]> writes:
> On Sat, Apr 11, 2026 at 11:01:33AM -0400, Wietse Venema via Postfix-users > wrote: > >> 20260323 >> >> Feature: specify "tls_trust_server_ccerts = yes" to trust >> client certificates whose extended key usage (EKU) lists >> only serverAuth and not clientAuth as valid TLS client >> certificates. This parameter is used only in the Postfix >> SMTP server, when client certificates are requested via >> smtpd_tls_ask_ccert or smtpd_tls_req_ccert. It is a workaround >> for policy changes at the major WebPKI CAs that preclude >> the issuance of certificates with a clientAuth EKU. Viktor >> Dukhovni. Files: proto/postconf.proto, global/mail_params.h, >> tls/tls_misc.c, tls/tls_server.c. > > But do read the parameter documentation, often the right solution is to > not trust CA-issued client certs at all. Thanks for verification, Viktor and Wietse! Sincerely, Byunghee -- ^고맙습니다 _布德天下_ 감사합니다_^))//
signature.asc
Description: PGP signature
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
