Loading ...
Sorry, an error occurred while loading the content.

295319Re: TLS Encription and server verification

Expand Messages
  • Luigi Rosa
    Sep 9, 2013
      Hash: SHA1

      Viktor Dukhovni said the following on 09/09/2013 00:33:

      > Yes, but you do have to configure Postfix correctly.

      :) I managed to solve the problem, the key was smtp_tls_policy_maps, the main
      error I made was to put the server name instead the mail domain name (the
      recipient is on a different domain from the FQDN of the server). As you
      pointed out setting loglevel to 2 helped a lot.

      We are talking about the latest version of Postfix compiled from source with
      TLS enabled, no precompiled distro package.

      This leads to few more questions regarding smtp_tls_policy_maps:

      domain.com fingerprint

      in this case domain.com is the domain name of the recipient (the text after
      '@' in the mail address) and not the FQDN of the MTA, correct?

      If domain.com has a backup MX without TLS how can I tell the
      smtp_tls_policy_maps not to use TLS with backup MX?

      > You have failed to mention any related transport(5) settings. The SMTP TLS
      > policy table lookup key is the transport nexthop.

      I didn't set up anything in transport file, Postfix uses the DNS to deliver
      the email. Should I put something in the transport file?

      >> domain.com fingerprint
      >> match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d
      >> mail.domain.com fingerprint
      >> match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d
      > Always good to check that the table actually returns these values when
      > queried with the right lookup keys. Are these in fact the sha1
      > fingerprints of the *peer* certificate? How were they computed?

      I computed them using the command line documented on
      Too bad I did not read the line below "The Postfix SMTP server and client log
      the peer (leaf) certificate fingerprint and public key fingerprint when the
      TLS loglevel is 2 or higher." My fault for not reading the entire documentation.

      Thank you for your help!


      - --
      +--[Luigi Rosa]--

      Love? What does love have to do with marriage?
      --Londo Mollari, "War Prayer"
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.4.12 (GNU/Linux)
      Comment: Using GnuPG with undefined - http://www.enigmail.net/

      -----END PGP SIGNATURE-----
    • Show all 8 messages in this topic