Noel Jones:
> On 6/13/2018 11:19 AM, Viktor Dukhovni wrote:
> >
> >
> >> On Jun 13, 2018, at 12:09 PM, Noel Jones <njo...@megan.vbhcs.org> wrote:
> >>
> >> Maybe tlsproxy is dropping permissions too soon?
> >
> > Because it serves multiple SMTP delivery agents, with
> > potentially different client certs, it can't obtain
> > the certs in advance. The solution is to serialize
> > the client cert and key and pass it to the proxy, or
> > to create a "store" for client certs, SNI-based
> > server certs, etc. and have the proxy extract the
> > certs from the "store", with root privs used to
> > gain access to the store.
> >
> > This is a work in progress. For now, to continue
> > testing, making the cert owned by "postfix" is a
> > bit better than world-readable.
>
> Thanks. Will do.
The 'postfix check' command will complain if you store non-root
files under /etc/postfix, so you may want to store them under
/etc/postfix-certs or something like that.
Thanks for testing the code.
Wietse
