On Thu, Apr 15, 2010 at 07:16:58PM -0400, zhong ming wu wrote: > I don't find anywhere in TLS documentation how to make postfix respect a crl > so that client's whose certs have been revoked cannot use the submission > server.
The supported model for submission servers that use client certs is to list all supported fingerprints in a table. With fingerprint security, you don't need CRLs. Alternatively, you can extract all the revoked certs from the CRL, and use check_ccert_access to deny access, while allowing everyone else signed by the CA. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.