On Sat, Mar 19, 2011 at 03:37:11PM +0100, Raven wrote:
> > As for TLS, the security policy and certficate verification are tied to
> > the nexthop destination, not the recipient domain, if the two differ,
> > it is the nexthop destination that is used. This is documented, please
> > read the documentation carefully.
> >
>
>
> I'm just wondering, how do I make postfix (client) trust the server's
> certificate? It's self generated, but I'd still like it to be trusted:
Postfix supports either X.509 PKI certificate verification:
http://www.postfix.org/TLS_README.html#client_tls_secure
or direct certificate fingerprint verification for non-PKI static
self-signed certs:
http://www.postfix.org/TLS_README.html#client_tls_fprint
> Mar 19 15:33:18 dellsrv3 postfix/smtp[29357]: Untrusted TLS connection
> established to relay.example.org[xxx.xxx.xxx.xxx]:587: TLSv1 with cipher
> ADH-AES256-SHA (256/256 bits)
This is harmless unless you want to thwart MITM attacks, in which case
either the server needs a cert from a trusted CA (chain), or you verify
its fingerprint directly.
--
Viktor.
