On Tue, Oct 22, 2013 at 10:58:46AM -0400, Wietse Venema wrote:
> > Fingerprinting the leaf certificate will work until the next time
> > they deploy a new leaf certificate without notifying you in advance.
> > This is because fingerprint security does not rely on a valid chain
> > of signatures from a trusted root, but does depend on matching the
> > exact certificate or public key.
>
> Presumably, this would not be a problem with public-key fingerprints
> until they change the key itself.
Yes, as documented:
http://www.postfix.org/TLS_README.html#client_tls_fprint
with instructions on how to extract public key digests from X.509
certs also at:
http://www.postfix.org/postconf.5.html#smtp_tls_fingerprint_digest
--
Viktor.
