On Fri, Oct 30, 2015 at 09:20:05AM -0400, Wietse Venema wrote:
> > postfix/smtp[6891]: 17A3F232B1: to=<cdr....@ahq.tcs.mil.example>,
> > relay=201.123.80.173[201.123.80.173]:25, delay=337, delays=327/0.02/10/0,
> > dsn=4.7.5, status=deferred (Server certificate not verified)
>
> Now it knows the issuer, but the name in the certificate does not
> match what Postfix expected. The default is to match the next-hop
> domain but you can change that per-destination in smtp_tls_policy_maps
> with the "match=" attribute, or globally with smtp_tls_secure_cert_match.
Note that with a nexthop relay of [201.123.80.173], default matching
the relay hostname won't work either. If the recipient domain does
not appear in the peer certificate, then an explicit "match=..."
in the destinatijon policy MUST be specified to match this SMTP server.
--
Viktor.
