> Yes, the key question is what's in the server certificate. You'll > want "match=<whatever appears there>". And if you're using the > policy table, you don't also need "smtp_tls_security_level=secure", > the policy table preempts that.
Back to CLIENT/master.cf -o smtp_tls_CAfile=/etc/ssl/mail/DDDD_CA.crt -o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt - -o smtp_tls_fingerprint_cert_match=$var_FP01 -o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key + -o smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy - -o smtp_tls_security_level=secure - -o smtp_tls_security_level=fingerprint -o tls_append_default_CA=no CLIENT/tls_policy - [internal.local010.DDDD.com]:11587 secure match=nexthop + [internal.local010.DDDD.com]:11587 secure match=relay-local.DDDD.com where, at the local server, the match=<value> is the server cert's extracted CN= value openssl x509 -noout -subject -in /etc/ssl/mail/relay-local.crt | sed -n '/^subject/s/^.*CN=//p' >>> relay-local.DDDD.com verifies, in log Jun 9 20:07:50 remote016 postfix/relay-remote/smtp[25329]: Verified TLS connection established to internal.local010.DDDD.com[10.128.1.10]:11587: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Two working solutions. Great. Thanks.