On Mon, Mar 12, 2012 at 01:15:01PM -0700, Richard Troy wrote:
> "Public Internet MX hosts without certificates signed by a "reputable" CA
> must generate, and be prepared to present to most clients, a self-signed
> or private-CA signed certificate. The remote SMTP client will generally
> not be able to authenticate the self-signed certificate, but unless the
> client is running Postfix or similar software, it will still insist on a
> server certificate."
As the author of the above quoted text, I can assure that it has
been misinterpreted. What the text is saying is that you need some
kind of certificate, not configuring any certificates at all ( by
setting "smtpd_tls_cert_file = none" and not defining '...dcert_file'
or '...eccert_file') is what's going to not work for most clients.
This is amplified by the context of the first sentense which clearly
presents the option of a self-signed cert. In the second sentense
I say that the client will want *a* server certificate, as opposed
to forgoing all certs and negotiating an anonymous TLS ciphersuite.
--
Viktor.
