Viktor Dukhovni via Postfix-users:
> On Thu, Apr 02, 2026 at 03:43:52PM +0200, A. Schulze via Postfix-users wrote:
>
> > We operate SMTP servers using a valid SMTP server certificate.
> > we ask SMTP clients for a certificate ( smtpd_tls_ask_ccert = yes )
>
> Why?
>
> > our SMTP server are reachable only for one external organisation, not
> > a public MX Over the last years, we saw 100% "Trusted TLS connection
> > established from ..."
> >
> > Since April 1 2026, 8 am UTC, we have 1% untrusted connections.
> > Even the same SMTP client ip switch between Trusted/Untrusted multiple times
> > per hour.
>
> Perhaps because in accordance with the Google Chrome Root Pragramme
> policy, mainstream (WebPKI) public CAs are ceasing to issue "clientAuth"
> certificates. When certificate carries only the "serverAuth" EKU, it
> will no longer validate as a TLS client certificate.
Code to work around that was released yesterday (postfix-3.12-20260401)
and may be back-ported to the stable releases (3.8-11) if desirable.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
