On 6/13/2018 11:19 AM, Viktor Dukhovni wrote: > > >> On Jun 13, 2018, at 12:09 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: >> >> Maybe tlsproxy is dropping permissions too soon? > > Because it serves multiple SMTP delivery agents, with > potentially different client certs, it can't obtain > the certs in advance. The solution is to serialize > the client cert and key and pass it to the proxy, or > to create a "store" for client certs, SNI-based > server certs, etc. and have the proxy extract the > certs from the "store", with root privs used to > gain access to the store. > > This is a work in progress. For now, to continue > testing, making the cert owned by "postfix" is a > bit better than world-readable. >
Thanks. Will do. -- Noel Jones
