On 13/3/23 05:52, Vincent Lefevre wrote:
Yes, but here, that's optional. So I'm wondering whether you really miss anything. Note also that a client certificate may be sent only if it is requested by the server, and if client certificates are requested, then there are issues with some clients: http://www.postfix.org/TLS_README.html#server_vrfy_client
That document refers to troublesome netscape clients (I didn't know Netscape did email?). Netscape went defunct in 2008 so there will be vanishingly few still using it.
Observing my mailing lists I see several categories of mailer. * Anonymous TLS connection * TLS connection with certificate that can't be verified * TLS connection with certificate that can be verified * TLS connection with verified R3 (letsencrypt) certificate. Each of those options has been chosen by the mail list administrator.As a general principal it's a good thing to know the system sending you mail is genuine. Given the variety, there is no point in rejecting the email if there is no certificate, but having a verified certificate could be used to streamline any anti-spam processes such as not greylisting. I don't know if postfix can do that yet, but it seems it would be a good thing.
-- Jeremy (Lists)