On 06/12/2013 03:02 PM, Peter Bauer wrote:
I got a connection from someone with a client certification: Received: from foo.bar (foo.bar [10.0.0.1]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail.foo.bar", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by myserver.com (Postfix) with ESMTPS id 62A9141C05A4 for <m...@myserver.com>; Wed, 12 Jun 2013 14:46:07 +0200 (CEST)My problem is the following entry in the header: -> (not verified) I would like to verify the fingerprint of this client certificate of the incoming connection. At least it would be fine if the certificate could be checked. I have not found any option how to tell postfix to check client connection certificates (I mean incoming TLS connections). How can I check the certificate of the incoming email? By fingerprint would be nice. And I would like to refuse it if check fails.
http://www.postfix.org/TLS_README.html#server_vrfy_client -- J.
