Currently, Enterprise Manager (and apparently also VBR) requires manual confirmation of a new SMTP server certificate whenever it changes — even if the certificate is valid, trusted by the OS, and has a complete chain (e.g., Let’s Encrypt R10 → ISRG Root X1).
This behavior breaks automation every 90 days when Let's Encrypt renews the certificate and results in missed notification emails unless someone manually disables and re-enables SMTP notifications to confirm the new thumbprint.
In our case, we are using an internal mail relay with IP-based access (no SMTP authentication) and STARTTLS on port 587.
We understand the original intent (to prevent MITM), but for many setups — especially with IP-restricted internal relays using Let's Encrypt — this becomes an unnecessary burden.
**Feature request:**Please make this behavior configurable — ideally allow EM/VBR to trust certificates based on the OS trust store (like most modern applications) and skip manual thumbprint confirmation, at least when no authentication is used.
Thanks!
– Tomáš Jirka
DCIT, a.s.