> Yes, the key question is what's in the server certificate. You'll
> want "match=<whatever appears there>". And if you're using the
> policy table, you don't also need "smtp_tls_security_level=secure",
> the policy table preempts that.
Back to
CLIENT/master.cf
-o smtp_tls_CAfile=/etc/ssl/mail/DDDD_CA.crt
-o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt
- -o smtp_tls_fingerprint_cert_match=$var_FP01
-o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key
+ -o smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy
- -o smtp_tls_security_level=secure
- -o smtp_tls_security_level=fingerprint
-o tls_append_default_CA=no
CLIENT/tls_policy
- [internal.local010.DDDD.com]:11587 secure match=nexthop
+ [internal.local010.DDDD.com]:11587 secure
match=relay-local.DDDD.com
where, at the local server, the match=<value> is the server cert's extracted
CN= value
openssl x509 -noout -subject -in /etc/ssl/mail/relay-local.crt | sed -n
'/^subject/s/^.*CN=//p'
>>> relay-local.DDDD.com
verifies, in log
Jun 9 20:07:50 remote016 postfix/relay-remote/smtp[25329]: Verified
TLS connection established to internal.local010.DDDD.com[10.128.1.10]:11587:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Two working solutions. Great. Thanks.
