On Sun, May 16, 2010 at 12:52:56AM +0200, Hadmut Danisch wrote:
> So relaying and using local domains as sender domains is restricted
> with permit_mynetworks, permit_tls_clientcerts, permit_sasl_authenticated.
> Works as expected.
There is a difference between "permit_tls_clientcerts" and
"permit_tls_all_clientcerts". The former uses an explicit list of trusted
certificate fingerprints (as proxies for the underlying public key), and
therefore does not heed the validity of the CA trust chain, expiration
dates, .... The latter trusts all client certs issued by a particular
(dedicated, private) set of CAs and only permits properly signed,
unexpired, ... certificates.
> Interestingly, this works even when the client certificate has expired.
This is intentional. To "expire" a certificate, remove its fingerprint
from your access table.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
