postfix + tls + client certificate auth - permit_tls_clientcerts not working

[MiNoS]

Hallo Liebe Community!

Ich habe in den letzten Tagen versucht einen postfix mit TLS und Client Zertifikats Authentifizierung zu installieren. Soweit ging alles gut und mit Thunderbird wird auch eine TLS Verbindung auf gebaut und das postfix log zeigt dies ebenso.
Nun wollte ich per

Code:

smtpd_client_restrictions = permit_tls_clientcerts, permit_mynetworks, reject_unauth_destination

Usern welche mit einem gültigen und hinterlegten Zertifikat angemeldet sind das relaying erlauben doch ich bekommen immer "Relay access denied;".

postconf -n ergibt:

Code:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = openmailsecurity.org, nas, localhost.localdomain, localhost
myhostname = nas.openmailsecurity.org
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
readme_directory = no
recipient_delimiter = +
relay_clientcerts = hash:/etc/postfix/relay_clientcert
relayhost = [smtp.gmail.com]:587
smtp_enforce_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/password
smtp_sasl_security_options = 
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_tls_clientcerts, permit_mynetworks, reject_unauth_destination
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_req_ccert = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

in der relay_clientcert steht:

Code:

71:4C:85:2B:B8:1E:60:3C:66:A0:DC:BB:7A:66:23:03:51:50:A7:12    OK

und im logfile:

Code:

Sep 24 17:35:49 nas postfix/smtpd[13241]: connect from unknown[78.142.185.79]
Sep 24 17:35:49 nas postfix/smtpd[13241]: setting up TLS connection from unknown[78.142.185.79]
Sep 24 17:35:50 nas postfix/smtpd[13241]: unknown[78.142.185.79]: Trusted: subject_CN=Stefan Selbitschka, issuer=QV Schweiz ICA, fingerprint=71:4C:85:2B:B8:1E:60:3C:66:A0:DC:BB:7A:66:23:03:51:50:A7:12
Sep 24 17:35:50 nas postfix/smtpd[13241]: Trusted TLS connection established from unknown[78.142.185.79]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Sep 24 17:35:50 nas postfix/smtpd[13241]: NOQUEUE: reject: RCPT from unknown[78.142.185.79]: 554 5.7.1 <selbitschka@gmail.com>: Relay access denied; from=<selbitschka@rundquadrat.at> to=<selbitschka@gmail.com> proto=ESMTP helo=<[192.168.1.102]>
Sep 24 17:35:52 nas postfix/smtpd[13241]: disconnect from unknown[78.142.185.79]

vielleicht hat von euch einer eine idee

danke mal im vorraus