> But you're still not authenticating the server. For that you'll need:
> smtp_tls_security_level=secure so that the client verifies the server
> hostname also and
> refuses to proceed when authentication fails.
A simpler alternative for my case may be
-o smtp_tls_CAfile=/etc/ssl/mail/DDDD_CA.crt
-o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt
+ -o smtp_tls_fingerprint_cert_match=$var_FP01
-o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key
- -o smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy
- -o smtp_tls_security_level=secure
+ -o smtp_tls_security_level=fingerprint
-o tls_append_default_CA=no
which returns in log
Jun 9 19:27:30 remote016 postfix/relay-remote/smtp[25329]: Verified
TLS connection established to internal.local010.DDDD.com[10.128.1.10]:11587:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
with a Verified TLS connection
Is 'Verified' here equivalent to your 'authenication' advice?
In this fingerprint mode, if the FP is un-matcched, the send is deferred. Does
that deferral constitute sufficient 'refusal to proceed'?
I assume alternative action can be specified in some relevant parameter.
