> On Jun 13, 2018, at 12:09 PM, Noel Jones <njo...@megan.vbhcs.org> wrote:
>
> Maybe tlsproxy is dropping permissions too soon?
Because it serves multiple SMTP delivery agents, with
potentially different client certs, it can't obtain
the certs in advance. The solution is to serialize
the client cert and key and pass it to the proxy, or
to create a "store" for client certs, SNI-based
server certs, etc. and have the proxy extract the
certs from the "store", with root privs used to
gain access to the store.
This is a work in progress. For now, to continue
testing, making the cert owned by "postfix" is a
bit better than world-readable.
--
Viktor.
