On Thu, Apr 15, 2010 at 07:16:58PM -0400, zhong ming wu wrote:
> I don't find anywhere in TLS documentation how to make postfix respect a crl
> so that client's whose certs have been revoked cannot use the submission
> server.
The supported model for submission servers that use client certs is to
list all supported fingerprints in a table. With fingerprint security,
you don't need CRLs. Alternatively, you can extract all the revoked
certs from the CRL, and use check_ccert_access to deny access, while
allowing everyone else signed by the CA.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
