| Navigate Spew | Show Archives |
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
Close Archives
| Aromatherapy (56) | [RSS] |
| Bullshit (70) | [RSS] |
| Day to Day (214) | [RSS] |
| Journeys (13) | [RSS] |
| Projects (36) | [RSS] |
| Software (165) | [RSS] |
| Squirrel Thursday (53) | [RSS] |
| Technology (120) | [RSS] |
Web Syndication
About Spew
My education is in Computer Network Technologies. I use my free thought, when any thoughts are present, to write and produce content in a wide spectrum format flow. One day I may explain a method for accomplishing a task on a BSD operating system, or spewing about my latest Sandalwood acquisition, and other times I will keep my thoughts I put to the screen more personal and opinionated with my current gush of text in relation to my tempered mood.
BLOGS & Friends Pages
Cache Mania
Andean Trekker
Nature's Gift Blog
EINSTEIN@HOME FreeBSD
Team FreeBSD HOME
Team FreeBSD Stats Page
Join Team FreeBSD
Journeys
Geo Join
Geocaching Album
My Cache Stats
Links Visited Daily
Woot!
Hot Links
Worse Than Failure
Forever Geek
Neatorama
Engadget
Boing Boing
Gizmodo
Hack a Day
My Content and Media
My NTP Pool Contribution
My BOINC Statistics
Geeky, Funny & Strange
Sense for Content
Geo Join Travel
Love Ale
Info Female
Info Male
Receive One
Cache Blogs
Postfix TLS Fingerprints for MTA to MTA Identification
28 January, 2012 06:39 CST6CDT
edited 2012-01-28 11:30:43
I have a home mail server with a Linux operating system & Postfix that is the primary mail exchange (MX) for its domain. In addition to the primary MTA, I have a static secondary relay mail server with a FreeBSD operating system & Postfix in the case my home connection were to go down. I was looking for a way that my secondary or primary MTA (mail transport agent) could relay e-mail to my legitimate dynamic IP address if my home mail server were to go down by doing a verification that my dynamic domain name IP address with an open port 25 was truly its relay destination.
I accomplished simple MTA to MTA verification using Postfix, which is installed on both servers, and my home TLS certificate's fingerprint. When my backup mail exchange server receives mail, it will relay it to my dynamic home server when it becomes available, though will only be delivered if my home TLS MD5 certificate fingerprint is valid. If the MD5 fingerprint expected does not match, it is deferred, re-queued, and repeats indefinitely until it is safe to deliver.
The first step is to do a MD5 fingerprint on your home, dynamic Postfix server's TLS PEM file defined in the Postfix main.cf configuration file with the variable smtpd_tls_cert_file=/path/to/ssl-cert.pem using the openssl command:
openssl x509 -noout -in /path/to/ssl-cert.pem -fingerprint -md5
Let's assume the MD5 fingerprint output is: d5:68:da:c4:cd:ee:0d:ba:3a:bc:dd:b6:7b:67:51:88 and our dynamic domain name is domain.not. Let's also assume the home mail server is setup and ready to receive e-mail for this domain and your users.
On your secondary and static backup MX server, make sure that domain.not is defined in the following parameters:
- relay_domains=domain.not
- relay_recipient_maps = hash:${config_directory}/relay_recipient_maps.cf
The configuration file relay_recipient_maps.cf contains a table of your recipients and may look like the following:
first.last@domain.not first.last@domain.not
Make sure to execute: postmap /etc/postfix/relay_recipient_maps.cf or replace /etc/postfix with your configuration directory.
Your "transport_maps=" may look something like the following:
domain.not smtp:[domain.not]
If your ISP blocks port 25, you may use the following for port 26, or any upper number port that is open and available:
domain.not smtp:[domain.not]:26
Now that we have the MD5 fingerprint of our home server and the static backup server knows what e-mail to accept and where to deliver it when your home server is up, we may now define in Postfix to only deliver mail if when requested the home Postfix server shows its certificate, and the MD5 fingerprint of the certificate matches.
First tell Postfix to use MD5 hashes for TLS policies: smtp_tls_fingerprint_digest = md5 Next, define your TLS policy configuration file, smtp_tls_policy_maps = hash:${config_directory}/tls_policy.cf
Here is an example SMTP TLS policy map:
[domain.not] fingerprint
match=d5:68:da:c4:cd:ee:0d:ba:3a:bc:dd:b6:7b:67:51:88
In the above TLS policy, domain.not requires TLS and the MD5 fingerprint of the certificate must match, match= Be sure to postmap the tls_policy.cf file, reload postfix, and you will now be using simple, low level MTA to MTA identification.
Software Projects Article & Comments|
Add a Comment |
|---|
|
your e-mail address will NOT be shared |
|
Main Entry: spew Pronunciation: \ˈspyü\
intransitive verb
Function: verb
Etymology: Middle English, from Old English spīwan; akin to Old High German spIwan to spit, Latin spuere, Greek ptyein First Known Use: before 12th centurytransitive verb
- VOMIT
- to come forth in a flood or gush
- to ooze out as if under pressure : EXUDE
- VOMIT
- to send or cast forth with vigor or violence or in great quantity <a volcano spewing out ash> —often used with out —spew·er noun