295319Re: TLS Encription and server verification
- Sep 9, 2013-----BEGIN PGP SIGNED MESSAGE-----
Viktor Dukhovni said the following on 09/09/2013 00:33:
> Yes, but you do have to configure Postfix correctly.:) I managed to solve the problem, the key was smtp_tls_policy_maps, the main
error I made was to put the server name instead the mail domain name (the
recipient is on a different domain from the FQDN of the server). As you
pointed out setting loglevel to 2 helped a lot.
We are talking about the latest version of Postfix compiled from source with
TLS enabled, no precompiled distro package.
This leads to few more questions regarding smtp_tls_policy_maps:
in this case domain.com is the domain name of the recipient (the text after
'@' in the mail address) and not the FQDN of the MTA, correct?
If domain.com has a backup MX without TLS how can I tell the
smtp_tls_policy_maps not to use TLS with backup MX?
> You have failed to mention any related transport(5) settings. The SMTP TLSI didn't set up anything in transport file, Postfix uses the DNS to deliver
> policy table lookup key is the transport nexthop.
the email. Should I put something in the transport file?
>> domain.com fingerprintI computed them using the command line documented on
>> mail.domain.com fingerprint
> Always good to check that the table actually returns these values when
> queried with the right lookup keys. Are these in fact the sha1
> fingerprints of the *peer* certificate? How were they computed?
Too bad I did not read the line below "The Postfix SMTP server and client log
the peer (leaf) certificate fingerprint and public key fingerprint when the
TLS loglevel is 2 or higher." My fault for not reading the entire documentation.
Thank you for your help!
Love? What does love have to do with marriage?
--Londo Mollari, "War Prayer"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
-----END PGP SIGNATURE-----
- << Previous post in topic Next post in topic >>