-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/20/2013 6:36 AM, Luigi Rosa wrote: > Hi, I have a TLS enabled Postfix with a PKI certificate. > > The configuration of SMTP TLS is: > > smtp_tls_security_level = may smtp_tls_note_starttls_offer = > yes smtp_tls_fingerprint_digest = sha1 smtp_tls_policy_maps = > hash:/etc/postfix/tls_policy > > and in tls_policy I put some recipient domains I know with > "fingerprint" and the fingerprint(s) of their keys. > > But many PKI keys last 365 days, so sooner or later the > fingerprints are no longer valid and the mail will not be > delivered to that domains until I change the policy or I put a > new fingerprint. > > My question is: with PKI keys is better to leave the > opportunistic TLS policy and use fingerprint only for self > issued keys with 3650 days of validity or are there some better > ways to handle this?
fingerprint verification is intended for a very limited number of clients -- typically internal hosts or highly trusted business partners willing to closely cooperate with you. Without close cooperation from the remote site, fingerprint verification just isn't practical. For an arbitrary third-party site, you'll probably need to stick to "encrypt" or maybe in some cases "verify". http://www.postfix.org/TLS_README.html#client_tls Hopefully widespread DANE adoption will take the pain out of this in the future. -- Noel Jones -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSPFttAAoJEJGRUHb5Oh6gVP8H/13ES2pc0zGkSJGwBXXoBI9h h+epsLfdT4QX2swUI785HzjDXoLFUzNQyqUXdRo4jp3rnUoQABLP1mi/NZpZlnuy QKwtIvLqF1dTwxcQ4KNMkOMkWXFRE0VYHSQVnWfpYP5K/XZPYm5uIHKb2oM9C0eH yJvZ/geC+dmODLDEwvFXfk5Tx1U68CuJ2+25cRoouVtwX9vbD4VlorQf1osnG5Gz Fp3GzMXe6CIS/2DuujXv/v6CYSqVzqtmjtawbl6ZBF7+YUxf9Ae+JJaIoqpjgyf+ ecRStPfbqsbRBzY/8/3OFW95ZoseAEBKMbjLmPCovFx1+b1YyLwY+7SgW2q+Ex0= =7A8M -----END PGP SIGNATURE-----
