-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have a TLS enabled Postfix with a PKI certificate.
The configuration of SMTP TLS is:
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_fingerprint_digest = sha1
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
and in tls_policy I put some recipient domains I know with "fingerprint" and
the fingerprint(s) of their keys.
But many PKI keys last 365 days, so sooner or later the fingerprints are no
longer valid and the mail will not be delivered to that domains until I change
the policy or I put a new fingerprint.
My question is: with PKI keys is better to leave the opportunistic TLS policy
and use fingerprint only for self issued keys with 3650 days of validity or
are there some better ways to handle this?
Thank you in advance.
Ciao,
luigi
- --
/
+--[Luigi Rosa]--
\
I have always imagined that paradise will be a kind of library.
--Jorge Luis Borges
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlI8MzwACgkQ3kWu7Tfl6ZTs9ACdERs11iAybH22fRTs+AmDU3QQ
CBUAniWJce7Z0kb2sb2Nt69Z8BCFLnZh
=PrkZ
-----END PGP SIGNATURE-----
