On Tue, Oct 22, 2013 at 10:58:46AM -0400, Wietse Venema wrote: > > Fingerprinting the leaf certificate will work until the next time > > they deploy a new leaf certificate without notifying you in advance. > > This is because fingerprint security does not rely on a valid chain > > of signatures from a trusted root, but does depend on matching the > > exact certificate or public key. > > Presumably, this would not be a problem with public-key fingerprints > until they change the key itself.
Yes, as documented: http://www.postfix.org/TLS_README.html#client_tls_fprint with instructions on how to extract public key digests from X.509 certs also at: http://www.postfix.org/postconf.5.html#smtp_tls_fingerprint_digest -- Viktor.