* Luigi Rosa <li...@luigirosa.com>: > My goal is to use self-issued certificates to encrypt the communications > between two Postfix MTAs and validate their identities > > Per http://www.postfix.org/postconf.5.html#smtpd_tls_policy_maps if I use > fingerprint in smtp_tls_policy_maps "there are no trusted certificate > authorities. The certificate trust chain, expiration date, ... are not > checked" > > So I generated the keys on both servers and configured them in both Postfix > with smtpd_tls_key_file and smtpd_tls_cert_file > > On the originating server I have: > > smtp_tls_security_level = may > smtp_tls_note_starttls_offer = yes > smtp_tls_fingerprint_digest = sha1 > smtp_tls_policy_maps = hash:/etc/postfix/tls_policy > smtp_tls_loglevel = 1 > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > smtp_tls_session_cache_timeout = 3600s > > tls policy is: > > domain.com fingerprint > match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d > mail.domain.com fingerprint > match=09:e6:21:1b:92:86:67:f1:56:6b:a5:06:7f:00:7e:ab:c7:43:68:6d > > > On the receiving server I have > > smtpd_tls_security_level = may > smtpd_tls_key_file = /etc/ssl/mail.domain.com.key > smtpd_tls_cert_file = /etc/ssl/mail.domain.com.crt > smtpd_tls_received_header = yes > smtpd_tls_loglevel = 1 > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > smtpd_tls_session_cache_timeout = 3600s > tls_random_source = dev:/dev/urandom
You don't tell Postfix where to find the CA file that holds all CAs you trust. Without a CA cert Postfix cannot verify a server cert. p@rick -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
