On Fri, Sep 17, 2010 at 11:09:14AM -0500, Vernon A. Fort wrote:
> I fully agree and this IS the way i have it configured - my original
> post was poorly written. Using =may on both in/out but configure
> smtp_tls_policy_maps for sites that I need tighter verification. I'm
> playing (for lack of a better term) with the secure settings with two
> different destination/sites. The secure option is easy with sites who
> have a purchased certification, a little tougher for ones with
> self-signed but it appears doable.
For self-signed sites, "secure" is not a good option, since you don't want
to add their CA to your trust CA list. At best you can do "fingerprint"
verification, or just enforce "encrypt" with no certificate checks.
--
Viktor.
