I just configured a tls policy map with a fingerprint check on my server to communicate securely with the SMTP server of a friend of me. It works fine. If fingerprint check fails on sending out the mail, it will be deferred.
However there are three points which I don't understand: 1. Why my server does not check the fingerprint for incoming emails. Why its only checked for outgoing mails? Normally it could check the fingerprint of my friend SMTP server in both directions? 2. Could it be possible to add the fingerprint of any TLS connection in the each email header? Then I could add more fingerprint verifications in my TLS policy map list without asking my friends all the time to run complex openssl commands to get the SHA1 fingerprint. Like so: Received: from xyz.tld (xyz.tld [10.0.0.1]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits), SHA1 fingerprint 12:54:D1:D4:4F:C9:E3:DC:F3:D7:66:B0:B8:7E:87:0B:01:73:C2:AA) (No client certificate requested) by foobar.com (Postfix) with ESMTPS id 014B043C15A6 for <t...@foobar.com>; Wed, 12 Jun 2013 12:00:25 +0200 (CEST) 3. If fingerprint could be checked for incoming connections, could it be possible to add in the email header that fingerprint has been checked? I know that failed checks will be rejected directly then on smtpd side with a error code 550 or something like that. But I would like to be informed if an email has been checked, to be sure that the system is configured correctly, and that I did not forgot a domain. It could look so in the email header: TLS-Fingerprint-Check: PASSED -- Best regards, Peter Bauer Linux & UNIX developper