Is it possible to get the smtp server to accept certificates which don't match the hostname for outgoing mail?

[smorks]

I've looked through the docs, and found the allow-invalid-certs option for remote hosts, but I can't seem to find an option for outgoing mail?

[mdecimus]

For security reasons it is not advisable to allow invalid certificates from any remote SMTP server. In fact, standards such as DANE and MTA-STS were created to increase TLS transport security.

However, if you need to deliver messages to a trusted SMTP server with a self-signed or expired certificate then you need to add it as a remote host under the [remote] section and then create a route to it using the next-hop key.

[smorks]

while i agree in principle, there are still many badly configured smtp servers out there. it would be nice if we could even specify a list of domains or something where it will accept invalid certs. but i understand if it's something you don't want to do for the sake of security.

[mdecimus]

Yes, that is possible currently, but you need to add each SMTP with invalid certs as an external host using rules. For example:

[queue.outbound]
next-hop = [ { if = "rcpt-domain", eq = "domain1.com", then = "smtp-domain1" }, 
             { if = "rcpt-domain", eq = "domain2.com", then = "smtp-domain2" }, 
             { else = false } ]

[remote."smtp-domain1"]
address = "smtp.domain1.com"
port = 25
protocol = "smtp"
concurrency = 10
timeout = "1m"

[remote."smtp-domain1".tls]
implicit = false
allow-invalid-certs = true

[remote."smtp-domain2"]
address = "smtp.domain2.com"
port = 25
protocol = "smtp"
concurrency = 10
timeout = "1m"

[remote."smtp-domain2".tls]
implicit = false
allow-invalid-certs = true

This rule is using the rcpt-domain key to route messages based on the recipient's domain name. If the remote server with invalid certs handles multiple domains you may want to use the remote-ip key instead or any other of the supported keys.

[smorks]

oh, i should have read your previous answer more closely. thanks!