On Thu, 2010-09-02 at 13:47 -0400, Victor Duchovni wrote: > On Thu, Sep 02, 2010 at 12:41:47PM -0500, Vernon A. Fort wrote: > > > Concerning outbound email to a specific domain that I need encrypted, I > > use smtp_tls_policy_maps. I would like some level of verification that > > the remote server IS the server I think it is. I see the > > smtp_tls_security_level as encrypt, fingerprint, verify or secure. What > > would be the best overall solution. > > > > If I do the fingerprint, do I MD5sum their public or private key? > > You don't have their private key, you should use SHA-1, not MD5 and > certificate fingerprints are computed via: > > openssl x509 -in <cert>.pem -noout -sha1 -fingerprint > > Where <cert>.pem is the file containing the remote certificate in > PEM format. Don't forget to set: > > smtp_tls_fingerprint_digest = sha1 > > The choice between "fingerprint" and "secure" depends on whether the > remote cert is self-signed and stable, or signed public CA and changes > each time it expires. >
OK - so i get them to send me their cert file - then create a fingerprint. Now, what kind of overhead does this cause. Meaning will our server request THEIR cert (then do the match) on every mail submission? Also (dummy question), whats the 'brief' difference between MD5 and sha1? Vernon
