I just configured a tls policy map with a fingerprint check on my server to
communicate securely with the SMTP server of a friend of me.
It works fine. If fingerprint check fails on sending out the mail, it will be
deferred.
However there are three points which I don't understand:
1. Why my server does not check the fingerprint for incoming emails. Why its
only checked for outgoing mails?
Normally it could check the fingerprint of my friend SMTP server in both
directions?
2. Could it be possible to add the fingerprint of any TLS connection in the
each email header?
Then I could add more fingerprint verifications in my TLS policy map list
without asking my friends all the time to run complex
openssl commands to get the SHA1 fingerprint.
Like so:
Received: from xyz.tld (xyz.tld [10.0.0.1])
(using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits),
SHA1 fingerprint
12:54:D1:D4:4F:C9:E3:DC:F3:D7:66:B0:B8:7E:87:0B:01:73:C2:AA)
(No client certificate requested)
by foobar.com (Postfix) with ESMTPS id 014B043C15A6
for <t...@foobar.com>; Wed, 12 Jun 2013 12:00:25 +0200 (CEST)
3. If fingerprint could be checked for incoming connections, could it be
possible to add in the email header that fingerprint has been
checked? I know that failed checks will be rejected directly then on smtpd side
with a error code 550 or something like that.
But I would like to be informed if an email has been checked, to be sure that
the system is configured correctly, and that I did not
forgot a domain.
It could look so in the email header:
TLS-Fingerprint-Check: PASSED
--
Best regards,
Peter Bauer
Linux & UNIX developper
