Hello, I configured my Email server (actually a mailcow-dockerized which in turn uses postfix) to enforce TLS for outbound mail. Obviously that will fail occasionally, but I also have a daemon watching the postfix queue and alerting me. Kind of works for me. Ok, while subscribing to this mailing list I had to add two more exceptions, because this mailing list uses an untrusted certificate (https://www.checktls.com/TestReceiver?LEVEL=DETAIL <https://www.checktls.com/TestReceiver?LEVEL=DETAIL&EMAIL=majord...@postfix.org> &EMAIL=majord...@postfix.org). Aren´t letsencrypt certs cheap enough in order to get rid of untrusted certificates?
When reading the documentation page http://www.postfix.org/TLS_README.html#client_tls however I am wondering what the difference between options “verify” and “secure” is. I read it several times and got the message, I should not use either, but what exactly is the difference remained unclear to me. Is “DNS forgery resistant server certificate verification“ defined in some RFC or other document I am not aware of? Thanks, Joachim