On Thu, Sep 02, 2010 at 12:41:47PM -0500, Vernon A. Fort wrote:
> Concerning outbound email to a specific domain that I need encrypted, I
> use smtp_tls_policy_maps. I would like some level of verification that
> the remote server IS the server I think it is. I see the
> smtp_tls_security_level as encrypt, fingerprint, verify or secure. What
> would be the best overall solution.
>
> If I do the fingerprint, do I MD5sum their public or private key?
You don't have their private key, you should use SHA-1, not MD5 and
certificate fingerprints are computed via:
openssl x509 -in <cert>.pem -noout -sha1 -fingerprint
Where <cert>.pem is the file containing the remote certificate in
PEM format. Don't forget to set:
smtp_tls_fingerprint_digest = sha1
The choice between "fingerprint" and "secure" depends on whether the
remote cert is self-signed and stable, or signed public CA and changes
each time it expires.
--
Viktor.
