-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Viktor Dukhovni said the following on 09/09/2013 00:33:
> Yes, but you do have to configure Postfix correctly.
:) I managed to solve the problem, the key was smtp_tls_policy_maps, the main
error I made was to put the server name instead the mail domain name (the
recipient is on a different domain from the FQDN of the server). As you
pointed out setting loglevel to 2 helped a lot.
We are talking about the latest version of Postfix compiled from source with
TLS enabled, no precompiled distro package.
This leads to few more questions regarding smtp_tls_policy_maps:
domain.com fingerprint
match=...
in this case domain.com is the domain name of the recipient (the text after
'@' in the mail address) and not the FQDN of the MTA, correct?
If domain.com has a backup MX without TLS how can I tell the
smtp_tls_policy_maps not to use TLS with backup MX?
> You have failed to mention any related transport(5) settings. The SMTP TLS
> policy table lookup key is the transport nexthop.
I didn't set up anything in transport file, Postfix uses the DNS to deliver
the email. Should I put something in the transport file?
>> domain.com fingerprint
>> match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d
>> mail.domain.com fingerprint
>> match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d
>
> Always good to check that the table actually returns these values when
> queried with the right lookup keys. Are these in fact the sha1
> fingerprints of the *peer* certificate? How were they computed?
I computed them using the command line documented on
http://www.postfix.org/postconf.5.html#smtp_tls_fingerprint_digest
Too bad I did not read the line below "The Postfix SMTP server and client log
the peer (leaf) certificate fingerprint and public key fingerprint when the
TLS loglevel is 2 or higher." My fault for not reading the entire documentation.
Thank you for your help!
Ciao,
luigi
- --
/
+--[Luigi Rosa]--
\
Love? What does love have to do with marriage?
--Londo Mollari, "War Prayer"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlItc2gACgkQ3kWu7Tfl6ZQ0TACggNAHfp1pzDlXac1MmGbDzfe6
H+sAoJuHNgAi8YyasLLVk+8z5RAiBPm4
=oeW0
-----END PGP SIGNATURE-----