Viktor Dukhovni wrote the following on 23.10.2013 16:23:
If your Postfix version is 2.9.0--2.9.5 DO NOT USE public key
fingerprints, or upgrade to 2.9.6 or later.
That wasn't the problem, the documentation is quite clear in this
regard. I mistakenly used the public key instructions for a
On Thu, Oct 24, 2013 at 07:59:46AM +0200, Tobias Reckhard wrote:
Support for public key fingerprints was added in Postfix 2.9, ...
This is stated at the beginning of the section dealing with
fingerprints. Further down, where the actual openssl commands are noted,
there is no such note.
On Wed, Oct 23, 2013 at 09:39:36AM +0200, Tobias Reckhard wrote:
with instructions on how to extract public key digests from X.509
certs also at:
http://www.postfix.org/postconf.5.html#smtp_tls_fingerprint_digest
Those instructions had me confused a bit, I think I now see why. I'd
Viktor Dukhovni wrote the following on 21.10.2013 17:30:
This organization uses SHA256 signatures for their certificates, even
though these are not widely supported.
Ah, OK, thanks for the explanation.
The most recent patch levels
of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256
Viktor Dukhovni wrote the following on 21.10.2013 17:21:
On Mon, Oct 21, 2013 at 10:07:13AM -0500, Noel Jones wrote:
Looks as if they use a private root CA. Probably the easiest fix is
to use fingerprint verification. See:
http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
No,
On Tue, Oct 22, 2013 at 11:07:07AM +0200, Tobias Reckhard wrote:
Maybe fingerprinting would work, though. I'll give it a shot on a test
system. Thanks for the suggestion.
Fingerprinting the leaf certificate will work until the next time
they deploy a new leaf certificate without notifying you
On Tue, Oct 22, 2013 at 11:01:22AM +0200, Tobias Reckhard wrote:
The most recent patch levels
of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for
SSL/TLS.
postfix 2.8.5 is available as a backport for Ubuntu 10.04 LTS. I've
suggested upgrading to that, since it should
Viktor Dukhovni:
On Tue, Oct 22, 2013 at 11:07:07AM +0200, Tobias Reckhard wrote:
Maybe fingerprinting would work, though. I'll give it a shot on a test
system. Thanks for the suggestion.
Fingerprinting the leaf certificate will work until the next time
they deploy a new leaf
On Tue, Oct 22, 2013 at 10:58:46AM -0400, Wietse Venema wrote:
Fingerprinting the leaf certificate will work until the next time
they deploy a new leaf certificate without notifying you in advance.
This is because fingerprint security does not rely on a valid chain
of signatures from a
On 10/21/2013 7:55 AM, Tobias Reckhard wrote:
Hello
In configuring a postfix 2.7.0 (on Ubuntu 10.04 LTS) for mandatory TLS
to a couple of domains, I'm running into the following oddity when
sending e-mail to the UniCredit servers:
Oct 21 08:43:58 hostname postfix/smtp[5991]: CA
On Mon, Oct 21, 2013 at 02:55:22PM +0200, Tobias Reckhard wrote:
Oct 21 08:43:58 hostname postfix/smtp[5991]: CA certificate
verification failed for mx10.unicredit.eu[62.122.80.93]:25:
num=7:certificate signature failure
This organization uses SHA256 signatures for their certificates, even
On Mon, Oct 21, 2013 at 10:07:13AM -0500, Noel Jones wrote:
Oct 21 08:43:58 hostname postfix/smtp[5991]: CA certificate
verification failed for mx10.unicredit.eu[62.122.80.93]:25:
num=7:certificate signature failure
Looks as if they use a private root CA. Probably the easiest fix is
to
On Mon, Oct 21, 2013 at 03:30:46PM +, Viktor Dukhovni wrote:
On Mon, Oct 21, 2013 at 02:55:22PM +0200, Tobias Reckhard wrote:
Oct 21 08:43:58 hostname postfix/smtp[5991]: CA certificate
verification failed for mx10.unicredit.eu[62.122.80.93]:25:
num=7:certificate signature failure
13 matches
Mail list logo