Postfix still complains that "certificate verification failed" even when "smtp_tls_security_level = fingerprint"

Question

I'm attempting to use Postfix (version 2.6.6 on RHEL6) to connect to and send mail via a mail relay on our internal network. I want to connect with STARTTLS on port 25 (port 465 is not available on this server). The mail relay uses a self-signed SSL/TLS certificate so I needed to skip certificate verification using a certificate authority. I discovered the smtp_tls_security_level = fingerprint which does not check the trust chain, expiration date, etc. Instead it verifies using the certificate fingerprint.

I figured this was the perfect solution, but when I attempt to send an email, I still get errors in /var/log/maillog that say postfix/smtp[15182]: certificate verification failed for xxxxxxxxxxxx[zz.zz.zz.zz]:25: untrusted issuer.

I thought the whole point of the fingerprint security level was to skip certificate verification. Am I misunderstanding the point of this option? Is there something else I need to configure?

Here are the relevant lines from main.cf:

relayhost = [xxx.xxx.xxx]
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl-passwords
smtp_sasl_security_options=
smtp_generic_maps = hash:/etc/postfix/generic
smtp_use_tls = yes
smtp_tls_security_level = fingerprint
smtp_tls_fingerprint_digest = sha1
# fingerprint changed for ServerFault. just an example.
smtp_tls_fingerprint_cert_match = c1:d3:54:12:00:r0:ef:fa:42:48:10:ff:ac:1e:75:13:dd:ad:af:3e
smtp_tls_note_starttls_offer = yes

Edit: added bold

score 2 · Accepted Answer · answered Jul 24 '14 at 22:31

Gonna answer my own question here. I did not manage to get fingerprint verification working, but I did discover how to get TLS without certificate verification. From the manual:

Mandatory TLS encryption can be configured by setting "smtp_tls_security_level = encrypt". Even though TLS encryption is always used, mail delivery continues even if the server certificate is untrusted or bears the wrong name.

I had tried this at one point but must not have had all the right options enabled. But using the settings above, I simply changed smtp_tls_security_level to encrypt and it works fine.

score 1 · Answer 2 · answered Aug 10 '16 at 07:38

Since Postfix has enable chroot (by default in Debian) "/etc/postfix/master.cf":

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      unix  -       -       -       -       -       smtp

and the default value for the variable smtp_tls_CAfile is empty, the solution pass for setting it with the location of the certificates file inside de chroot:

In "/etc/postfix/main.cf":

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Postfix still complains that "certificate verification failed" even when "smtp_tls_security_level = fingerprint"

2 Answers2