diff --git a/postfix/HISTORY b/postfix/HISTORY
index de1c56283..df93dfac0 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -24658,3 +24658,10 @@ Apologies for any names omitted.
 	multi-Milter configuration during MAIL FROM. Milter client
 	state was not properly reset after one of the Milters failed.
 	Reported by WeiYu Wu.
+
+20200312
+
+	Usability: the Postfix SMTP server now logs a warning when
+	a configuration requests access control by client certificate,
+	but "smtpd_tls_ask_clientcert = no".  Files: proto/postconf.proto,
+	smtpd/smtpd_check.c.
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index e8d4ae3c0..68135b0de 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -14239,7 +14239,8 @@ fingerprint (Postfix 2.9 and later) as lookup key for the specified
 remote SMTP client certificate is verified successfully.
 The fingerprint digest algorithm is configurable via the
 <a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
-Postfix version 2.5).  This feature is available with Postfix version
+Postfix version 2.5).  This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
+= yes" and is available with Postfix version
 2.2 and later. </dd>
 
 <br>
@@ -14353,7 +14354,8 @@ CA. Otherwise, clients with a third-party certificate would also
 be allowed to relay.  Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
 trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
 to prevent Postfix from appending the system-supplied default CAs.
-This feature is available with Postfix version 2.2.</dd>
+This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes" and is available
+with Postfix version 2.2 and later.</dd>
 
 <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
 
@@ -14362,8 +14364,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
 listed in $<a href="postconf.5.html#relay_clientcerts">relay_clientcerts</a>.
 The fingerprint digest algorithm is configurable via the
 <a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
-Postfix version 2.5).  This feature is available with Postfix version
-2.2. </dd>
+Postfix version 2.5).  This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
+= yes" and is available with Postfix version 2.2 and later.</dd>
 
 <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
 
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 056e35e47..fbb387c09 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -9523,7 +9523,8 @@ fingerprint (Postfix 2.9 and later) as lookup key for the specified
 remote SMTP client certificate is verified successfully.
 The fingerprint digest algorithm is configurable via the
 smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
-Postfix version 2.5).  This feature is available with Postfix version
+Postfix version 2.5).  This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version
 2.2 and later.
 .br
 .br
@@ -9623,7 +9624,8 @@ CA. Otherwise, clients with a third\-party certificate would also
 be allowed to relay.  Specify "tls_append_default_CA = no" when the
 trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
 to prevent Postfix from appending the system\-supplied default CAs.
-This feature is available with Postfix version 2.2.
+This feature requires "smtpd_tls_ask_ccert = yes" and is available
+with Postfix version 2.2 and later.
 .br
 .IP "\fBpermit_tls_clientcerts\fR"
 Permit the request when the remote SMTP client certificate
@@ -9631,8 +9633,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
 listed in $relay_clientcerts.
 The fingerprint digest algorithm is configurable via the
 smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
-Postfix version 2.5).  This feature is available with Postfix version
-2.2.
+Postfix version 2.5).  This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version 2.2 and later.
 .br
 .IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR"
 Reject the request when the reversed client network address is
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 11f769467..4f81c10b0 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -5110,7 +5110,8 @@ access(5) database; with Postfix version 2.2, also require that the
 remote SMTP client certificate is verified successfully.
 The fingerprint digest algorithm is configurable via the
 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
-Postfix version 2.5).  This feature is available with Postfix version
+Postfix version 2.5).  This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version
 2.2 and later. </dd>
 
 <br>
@@ -5225,7 +5226,8 @@ CA. Otherwise, clients with a third-party certificate would also
 be allowed to relay.  Specify "tls_append_default_CA = no" when the
 trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
 to prevent Postfix from appending the system-supplied default CAs.
-This feature is available with Postfix version 2.2.</dd>
+This feature requires "smtpd_tls_ask_ccert = yes" and is available
+with Postfix version 2.2 and later.</dd>
 
 <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
 
@@ -5234,8 +5236,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
 listed in $relay_clientcerts.
 The fingerprint digest algorithm is configurable via the
 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
-Postfix version 2.5).  This feature is available with Postfix version
-2.2. </dd>
+Postfix version 2.5).  This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version 2.2 and later.</dd>
 
 <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index aa75846ac..74e6cb848 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200309"
+#define MAIL_RELEASE_DATE	"20200312"
 #define MAIL_VERSION_NUMBER	"3.6"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index b93ac4d4a..1eaaf279b 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -1627,6 +1627,10 @@ static int permit_tls_clientcerts(SMTPD_STATE *state, int permit_all_certs)
 	if (msg_verbose)
 	    msg_info("relay_clientcerts: No match for fingerprint '%s', "
 		     "pkey fingerprint %s", prints[0], prints[1]);
+    } else if (!var_smtpd_tls_ask_ccert) {
+	msg_warn("%s is requested, but \"%s = no\"", permit_all_certs ?
+		 PERMIT_TLS_ALL_CLIENTCERTS : PERMIT_TLS_CLIENTCERTS,
+		 VAR_SMTPD_TLS_ACERT);
     }
 #endif
     return (SMTPD_CHECK_DUNNO);
@@ -3227,6 +3231,9 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
 	    if (result != SMTPD_CHECK_DUNNO)
 		break;
 	}
+    } else if (!var_smtpd_tls_ask_ccert) {
+	msg_warn("%s is requested, but \"%s = no\"",
+		 CHECK_CCERT_ACL, VAR_SMTPD_TLS_ACERT);
     } else {
 	if (msg_verbose)
 	    msg_info("%s: no client certificate", myname);