TLS Encription and server verification

[Luigi Rosa]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My goal is to use self-issued certificates to encrypt the communications
between two Postfix MTAs and validate their identities

Per http://www.postfix.org/postconf.5.html#smtpd_tls_policy_maps if I use
fingerprint in smtp_tls_policy_maps "there are no trusted certificate
authorities. The certificate trust chain, expiration date, ... are not checked"

So I generated the keys on both servers and configured them in both Postfix
with smtpd_tls_key_file and smtpd_tls_cert_file

On the originating server I have:

smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_fingerprint_digest = sha1
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s

tls policy is:

domain.com          fingerprint
        match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d
mail.domain.com          fingerprint
        match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d


On the receiving server I have

smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/ssl/mail.domain.com.key
smtpd_tls_cert_file = /etc/ssl/mail.domain.com.crt
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom



When I try to send an email on the originatig server I have this log entries:

postfix/smtp[5360]: setting up TLS connection to xxxx[x.x.x.x]:25
postfix/smtp[5360]: certificate verification failed for
mail.domain.com[x.x.x.x]:25: self-signed certificate
Untrusted TLS connection established to mail.domain.com[x.x.x.x]:25: TLSv1
with cipher DHE-RSA-AES256-SHA (256/256 bits)
postfix/smtp[5360]: A4A6320004D: Server certificate not verified

even if "fingerprint" should not verify the certificate path.


What I am missing?




Ciao,
luigi

- -- 
/
+--[Luigi Rosa]--
\

The NYT reports that Mark Papermaster, Apple's man in charge of iPhone
hardware, has left the company. He will be replaced by Nigel Antennamaster.
    --boingboing.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlIsSdAACgkQ3kWu7Tfl6ZQLDACfV9PR+no6RTqKmLWVeM0YPRGM
suMAnjHbzj+XwQBosieulNkx4wMBdrsv
=6tTp
-----END PGP SIGNATURE-----