TLS in postfix SMTP client

TLS in postfix SMTP client

DreamHost changed SSL cert for mail once again.

There is a tricky way of adding CA certificates into Linux system’s certs repository:

1. Put CA certificates in /usr/local/share/ca-certificates/, and NOT the system directory /usr/share/ca-certificates/
2. run update-ca-certificates to update the compiled list of CA certificates.
3. Add the path to /etc/postfix/main.cf :
   smtp_tls_CApath = /etc/ssl/certs

… but I was too lazy to pursue that way to the end, so I ended up just updating the fingerprint for use by the postfix SMTP client.

Steps to add (update) fingerprint checking to Postfix SMTP client:

1. Get the peer’s SSL certificate:
   openssl s_client -connect mail.123unix.com:465
   Note: this command is good for testing any SSL/TLS connection, e.g. HTTPS or IMAPS
2. Input the certificate printed into
   openssl x509 -fingerprint -noout -in /dev/stdin
   or just
   openssl x509 -fingerprint
3. (alternatively) pipe those two commands in a single command line:
   openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
4. It prints out the SHA-1 fingerprint by default
5. Add the fingerprint to /etc/postfix/main.cf
smtp_tls_fingerprint_cert_match =
EE:63:65:35:BA:73:99:E8:7F:61:A5:4D:05:88:75:30:C7:17:30:A0
# New fingerprint as of May 2014: B9:85:A8:C4:F8:B6:75:7A:BF:37:96:13:BB:78:33:1E:9C:FB:3A:57
smtp_tls_fingerprint_digest = sha1
6. The fingerprint can also be used in
   postmap /etc/postfix/tls_policy
   for cert/fingerprint checking on a per destination basis.
7. Tell postfix to reload config:
   service postfix reload