For the purposes of better scaling things out, I would prefer to maintain a table of certificate fingerprints that I want to deny, rather than a table of certificates that I want to allow. Such a table would need to be updated a small fraction of the time that an allow list would need to be updated, and would produce the same effect, but more efficiently.
However, from what I can tell, postfix only has $permit_tls_clientcerts, and no $denied_tls_clientcerts. Because I will have a lot of churn with new certs being generated continually, I would rather have the opposite. Are there any options to do that? thanks, micah
