On Thu, Jul 06, 2017 at 01:03:03PM +0200, Bastien Durel wrote:
> I have a setup where a MTA will forward mail to another node, based on ldap
> configuration.
> It works well, but it uses ADH
>
> Received: from corrin.geekwu.org (unknown [87.98.180.13])
> (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by arrakeen.geekwu.org (Postfix) with ESMTPS id A96DF6C07D
> for <bast...@geekwu.org>; Thu, 6 Jul 2017 01:52:53 +0200 (CEST)
>
> I know I should not disable ADH on public interface, but I'd like to prevent
> it on "private" interface (intra-cluster only), as "cluster" nodes does
> communicate over Internet.
Just force authentication for this connection by setting
smtp_tls_security_level to an appropriate level:
- dane, with appropriate dns entries
- dane-only
- fingerprint
- verify
- secure
You can also override this setting via smtp_tls_policy_maps
Regards,
Bastian
--
Is truth not truth for all?
-- Natira, "For the World is Hollow and I have Touched
the Sky", stardate 5476.4.
