On Fri, 2010-09-17 at 11:42 -0400, Victor Duchovni wrote: > On Thu, Sep 16, 2010 at 03:45:17PM -0500, Vernon A. Fort wrote: > > Yes, it looks like that Patch did not make it in.
I just happen to run across your post a few days ago - cleared some things up but I could NOT find this in the TLS_README. This would be helpful information, it was for me. > I don't read the documentation that way. It does make it clear that for > a public MX host, anything stronger than "may" is impractical on > port 25. Also for an internet-facing SMTP client that delivers mail > to the MX hosts of any and all domains, likewise, "may" is the right > default policy. > > Beyond that, you can use "secure" channel peer verification by mutual > agreement with specific destination sites, and that policy is best > applied by the client. > I fully agree and this IS the way i have it configured - my original post was poorly written. Using =may on both in/out but configure smtp_tls_policy_maps for sites that I need tighter verification. I'm playing (for lack of a better term) with the secure settings with two different destination/sites. The secure option is easy with sites who have a purchased certification, a little tougher for ones with self-signed but it appears doable. Thanks for all your input and work related to TLS! Vernon
