On Thu, Jul 06, 2017 at 01:03:03PM +0200, Bastien Durel wrote: > I have a setup where a MTA will forward mail to another node, based on ldap > configuration.
> It works well, but it uses ADH > > Received: from corrin.geekwu.org (unknown [87.98.180.13]) > (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) > (No client certificate requested) > by arrakeen.geekwu.org (Postfix) with ESMTPS id A96DF6C07D > for <bast...@geekwu.org>; Thu, 6 Jul 2017 01:52:53 +0200 (CEST) > > I know I should not disable ADH on public interface, but I'd like to prevent > it on "private" interface (intra-cluster only), as "cluster" nodes does > communicate over Internet. Just force authentication for this connection by setting smtp_tls_security_level to an appropriate level: - dane, with appropriate dns entries - dane-only - fingerprint - verify - secure You can also override this setting via smtp_tls_policy_maps Regards, Bastian -- Is truth not truth for all? -- Natira, "For the World is Hollow and I have Touched the Sky", stardate 5476.4.