On Thu, Sep 02, 2010 at 01:30:24PM -0500, Vernon A. Fort wrote:
> > The choice between "fingerprint" and "secure" depends on whether the
> > remote cert is self-signed and stable, or signed public CA and changes
> > each time it expires.
> >
>
> OK - so i get them to send me their cert file - then create a
> fingerprint.
The actual sending of the cert is not necessary, their server makes it
available to anyone who connects. You do however need to coordinate the
security level with them, and get mutual agreement on the authentication
strategy.
For example, you can get the cert (chain) via:
$ openssl s_client -starttls smtp -showcerts -connect mail.example.com:25
> Now, what kind of overhead does this cause. Meaning will
> our server request THEIR cert (then do the match) on every mail
> submission?
This is part of the SSL handshake, even when you don't check the
certificate, unless both sides support and use anonymous ciphers.
> Also (dummy question), whats the 'brief' difference between MD5 and
> sha1?
MD5 is more obsolete than SHA-1.
--
Viktor.
