On Tue, Jun 09, 2015 at 07:37:54PM -0700, PGNd wrote:
> A simpler alternative for my case may be
>
> -o smtp_tls_CAfile=/etc/ssl/mail/DDDD_CA.crt
> -o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt
> + -o smtp_tls_fingerprint_cert_match=$var_FP01
> -o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key
> - -o smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy
> - -o smtp_tls_security_level=secure
> + -o smtp_tls_security_level=fingerprint
> -o tls_append_default_CA=no
>
> which returns in log
>
> Jun 9 19:27:30 remote016 postfix/relay-remote/smtp[25329]: Verified
> TLS connection established to internal.local010.DDDD.com[10.128.1.10]:11587:
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> with a Verified TLS connection
If you control both ends, and are willing to maintain synchronization
between client configuration and server certificate, this is more secure
than using a CA. Prior to installing a new server certificate, configure
the client with both fingerprints (current and planned).
This requires some operational discipline, but avoids trusting third
parties.
> Is 'Verified' here equivalent to your 'authenication' advice?
Yes.
> In this fingerprint mode, if the FP is un-matcched, the send is deferred.
> Does that deferral constitute sufficient 'refusal to proceed'?
Yes.
--
Viktor.
