On Fri, 2010-09-17 at 12:17 -0400, Victor Duchovni wrote: > On Fri, Sep 17, 2010 at 11:09:14AM -0500, Vernon A. Fort wrote: > > > I fully agree and this IS the way i have it configured - my original > > post was poorly written. Using =may on both in/out but configure > > smtp_tls_policy_maps for sites that I need tighter verification. I'm > > playing (for lack of a better term) with the secure settings with two > > different destination/sites. The secure option is easy with sites who > > have a purchased certification, a little tougher for ones with > > self-signed but it appears doable. > > For self-signed sites, "secure" is not a good option, since you don't want > to add their CA to your trust CA list. At best you can do "fingerprint" > verification, or just enforce "encrypt" with no certificate checks. >
Hum - I see your point with self-signed. My intension was related to sites/destinations that I control. After pondering your response, if i control both sides, exchanging CA's would then be purely cosmetic? Fingerprints it is then on sites i need more verification. Vernon
