Server-to-server TLS howto?

[JohnR]

Hi,

I've got my Zimbra 5 server running on Ubuntu 6.06, and it works like a charm. I've got TLS enabled for all the desktop clients, mail comes in and goes out, no problem. Everything works.

And, of course, now I want to change that.

I want to enable TLS between my Zimbra server and other mail servers on the internet - basically, when it relays mail, I want it to make a TLS connection rather than a standard unencrypted one, either to everyone who has TLS enabled (with failover to nonencrypted if the recipient server rejects the TLS handshake) or at least setting it to always and only use TLS to a specific list of domains, while using non-TLS for the internet at large.

Anyone got a link to a howto on setting this up, or some tips on where to get started?

[JohnR]

Nobody?

Using zmlocalconfig to increase the SMTPD TLS logging level just logs clients who handshake with the server, it doesn't log the server's handshakes with other servers.

I added
POSTCONF smtp_use_tls yes
to zmmta.cf and restarted. I now get certificate errors logged when I connect to machines with bad certificates, but I can't confirm that I'm getting a proper TLS connection to machines that *have* good certificates, and I don't exactly have a second mail server that I can watch the logs on, on the recipient side. Does anyone think that might get my job done?