Am 24.02.2014 01:16, schrieb Dirk Stöcker: > On Sun, 23 Feb 2014, Viktor Dukhovni wrote: >>> smtp_tls_verify_certs=whenpossible >> >> SMTP is not HTTP. Due to MX indirection, peer authentication is >> not possible without explicit per-destination configuration. Once >> you've gone to all that trouble, you may as well configure a "secure" >> channel. > > I know that there are many side-effects and things which don't work, but that > does not mean that one can at least > try? For a lot of domains there is a MX entry and only that server is > responsible. So when a SMTP connection is > made, can't at least the logfile say that cert and MX match?
which of the MX servers of a domain if there are more than one? please understand as long as you don't *directl* verify a certificate on both sides there is no trust and opportunistic means excatly that who defines "trusted"? if you can't answer that question you can't log that with any gain
