On Wed, 2025-06-18 at 23:27 +1000, Viktor Dukhovni via Exim-users wrote: > >
> > > Understood, thanks. FWIW the "fingerprint" security level in Postfix > allows the SMTP client to authenticate the remote server by matching > the > presented certificate or public key digest against any of a set of > expected fingerprints. The policy applicable to a given nexthop > destination is typically a result of a table lookup. > > <nexthop> fingerprint match=digest [match=digest ...] > > > This could be compared against a reference value, for example > > in the "client_condition" option of the authenticator being > > used for the OP connection. > > Sounds like with a bit of attention to detail it should be possible > to > put together equivalent logic in Exim. Use the nexthop as a lookup > key to find the expected digest(s) and then compare... He can probably just set up stunnel, and tell Exim to connect to that instead. I think you can just hand a server cert to stunnel and tell it to require that one. -- Mike Cardwell <mike.cardw...@grepular.com> ----- @grepular:matrix.org https://www.linkedin.com/in/mikecardwell --- https://www.grepular.com https://bsky.app/profile/grepular.com ----- @grepular@mastodon.social https://www.emailprivacytester.com ------ https://gitlab.com/grepular https://www.parsemail.org --------- https://hub.docker.com/u/grepular
signature.asc
Description: This is a digitally signed message part
-- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
