Dear Postfix folks,
Currently, our `/etc/postfix/tls_policy` looks like below to force
encryption when sending messages to other servers in our organization.
mpg.de encrypt
.mpg.de encrypt
We want to improve that. Unfortunately, DANE is not an option as the DFN
does not support that, and a lot of German research organizations and
institutes use that for receiving messages.
We do not have control over the other servers, but want to migrate to
*verify* [1].
Can you recommend a strategy how to do that? Is there a way to use
verify, and then fall back to encrypt, but log that, so that the other
postmasters can be informed? Or should we maintain a separate list in
some central place, which interested parties contribute to?
Kind regards,
Paul
[1]: http://www.postfix.org/TLS_README.html#client_tls_verify