> But you're still not authenticating the server. For that you'll need: > smtp_tls_security_level=secure so that the client verifies the server > hostname also and > refuses to proceed when authentication fails.
A simpler alternative for my case may be -o smtp_tls_CAfile=/etc/ssl/mail/DDDD_CA.crt -o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt + -o smtp_tls_fingerprint_cert_match=$var_FP01 -o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key - -o smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy - -o smtp_tls_security_level=secure + -o smtp_tls_security_level=fingerprint -o tls_append_default_CA=no which returns in log Jun 9 19:27:30 remote016 postfix/relay-remote/smtp[25329]: Verified TLS connection established to internal.local010.DDDD.com[10.128.1.10]:11587: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) with a Verified TLS connection Is 'Verified' here equivalent to your 'authenication' advice? In this fingerprint mode, if the FP is un-matcched, the send is deferred. Does that deferral constitute sufficient 'refusal to proceed'? I assume alternative action can be specified in some relevant parameter.