The question is wrong. One is not "more-stringent" than the other, they
just check for different things.
As TLS is not mandatory for SMTP over the general internet, it's
availability is patchy at best. For the servers that do provide STARTTLS
and a certificate, what's actually on the certificate is anyone's guess.
As the certificate is most likely self-signed, it's contents are pretty
irrelevant anyway. That is why the general advice is do not INSIST on
ssl on the big bad internet. You will almost certainly find that most of
your mail will not be delivered.
That said, the only real use case for certificate validation is when you
_know_ (by pre-arrangement) that the server you are talking to supports
TLS. And if you already know it supports TLS, you can find out what is
on the server's certificate and choose the appropriate test. If you're
not sure choose both.
Suppose you are sending mail to example.com, and nexthop is assigned
"example.com", then..
If the certificate says SAN: DNS:mailserver.example.com, then you'll
want the "dot-nexthop" test. If the certificate says SAN:
DNS:example.com, then you'll want the "nexthop" test.
If you're not sure, it's relatively safe to list both tests. just be
careful with the "hostname" test. If the hostname comes from a
non-DNSSEC MX lookup, it should not be "trusted".
regards..
On 1/05/2023 7:02 pm, Kolusion K via Postfix-users wrote:
Hello
Regarding the smtp_tls_verify_cert_match parameter, is the
configuration 'dot-nexthop' more stringent than 'nexthop'?
Thank you
Sincerely,
Kolusion
_______________________________________________
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
