On 13/3/23 05:52, Vincent Lefevre wrote:
Yes, but here, that's optional. So I'm wondering whether you really
miss anything. Note also that a client certificate may be sent only
if it is requested by the server, and if client certificates are
requested, then there are issues with some clients:
http://www.postfix.org/TLS_README.html#server_vrfy_client
That document refers to troublesome netscape clients (I didn't know
Netscape did email?). Netscape went defunct in 2008 so there will be
vanishingly few still using it.
Observing my mailing lists I see several categories of mailer.
* Anonymous TLS connection
* TLS connection with certificate that can't be verified
* TLS connection with certificate that can be verified
* TLS connection with verified R3 (letsencrypt) certificate.
Each of those options hasĀ been chosen by the mail list administrator.
As a general principal it's a good thing to know the system sending you
mail is genuine. Given the variety, there is no point in rejecting the
email if there is no certificate, but having a verified certificate
could be used to streamline any anti-spam processes such as not
greylisting. I don't know if postfix can do that yet, but it seems it
would be a good thing.
--
Jeremy
(Lists)
