Re: TLS Encription and server verification

Mon, 09 Sep 2013 00:07:54 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Viktor Dukhovni said the following on 09/09/2013 00:33:

> Yes, but you do have to configure Postfix correctly.

:) I managed to solve the problem, the key was smtp_tls_policy_maps, the main
error I made was to put the server name instead the mail domain name (the
recipient is on a different domain from the FQDN of the server). As you
pointed out setting loglevel to 2 helped a lot.

We are talking about the latest version of Postfix compiled from source with
TLS enabled, no precompiled distro package.

This leads to few more questions regarding smtp_tls_policy_maps:

domain.com          fingerprint
        match=...

in this case domain.com is the domain name of the recipient (the text after
'@' in the mail address) and not the FQDN of the MTA, correct?

If domain.com has a backup MX without TLS how can I tell the
smtp_tls_policy_maps not to use TLS with backup MX?


> You have failed to mention any related transport(5) settings.  The SMTP TLS
> policy table lookup key is the transport nexthop.

I didn't set up anything in transport file, Postfix uses the DNS to deliver
the email. Should I put something in the transport file?

>> domain.com          fingerprint 
>> match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d 
>> mail.domain.com          fingerprint 
>> match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d
> 
> Always good to check that the table actually returns these values when
> queried with the right lookup keys.  Are these in fact the sha1
> fingerprints of the *peer* certificate?  How were they computed?

I computed them using the command line documented on
http://www.postfix.org/postconf.5.html#smtp_tls_fingerprint_digest
Too bad I did not read the line below "The Postfix SMTP server and client log
the peer (leaf) certificate fingerprint and public key fingerprint when the
TLS loglevel is 2 or higher." My fault for not reading the entire documentation.


Thank you for your help!



Ciao,
luigi

- -- 
/
+--[Luigi Rosa]--
\

Love? What does love have to do with marriage?
    --Londo Mollari, "War Prayer"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlItc2gACgkQ3kWu7Tfl6ZQ0TACggNAHfp1pzDlXac1MmGbDzfe6
H+sAoJuHNgAi8YyasLLVk+8z5RAiBPm4
=oeW0
-----END PGP SIGNATURE-----

Reply via email to