On Fri, Sep 17, 2010 at 11:33:58AM -0500, Vernon A. Fort wrote:
> On Fri, 2010-09-17 at 12:17 -0400, Victor Duchovni wrote:
> > On Fri, Sep 17, 2010 at 11:09:14AM -0500, Vernon A. Fort wrote:
> >
> > > I fully agree and this IS the way i have it configured - my original
> > > post was poorly written. Using =may on both in/out but configure
> > > smtp_tls_policy_maps for sites that I need tighter verification. I'm
> > > playing (for lack of a better term) with the secure settings with two
> > > different destination/sites. The secure option is easy with sites who
> > > have a purchased certification, a little tougher for ones with
> > > self-signed but it appears doable.
> >
> > For self-signed sites, "secure" is not a good option, since you don't want
> > to add their CA to your trust CA list. At best you can do "fingerprint"
> > verification, or just enforce "encrypt" with no certificate checks.
> >
>
> Hum - I see your point with self-signed. My intension was related to
> sites/destinations that I control. After pondering your response, if i
> control both sides, exchanging CA's would then be purely cosmetic?
>
> Fingerprints it is then on sites i need more verification.
If you manage both ends, you don't need a CA. A fingerprint database
is sufficient, more secure and easier to manage IMHO.
--
Viktor.
