On Wed, Jun 12, 2013 at 03:02:40PM +0200, Peter Bauer wrote:
> I got a connection from someone with a client certification:
> Received: from foo.bar (foo.bar [10.0.0.1])
> (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
> (Client CN "mail.foo.bar", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified))
> by myserver.com (Postfix) with ESMTPS id 62A9141C05A4
> for <me@...>; Wed, 12 Jun 2013 14:46:07 +0200 (CEST)
> My problem is the following entry in the header:
> -> (not verified)
This means the corresponding root CA was not in your CAfile or CApath, or
the client configuration neglected to include the required intermediate CA
> I would like to verify the fingerprint of this client certificate
> of the incoming connection.
The fingerprint is always "verified", in the sense that its authenticity
is never in doubt. What would you like to do with an authentic fingerprint?
> At least it would be fine if the certificate could be checked.
The validity of its trust chain was checked, and verification failed that's
what "not verified" means.
> I have not found any option how to tell postfix to check client
> connection certificates (I mean incoming TLS connections).
Check for what? See my previous post.