From b72f452d6fef4115d0f60615201359987ec40ae7 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 3 Dec 2015 22:29:06 +0100
Subject: Postfix TLS policy: Store the fingerprint of the cert's pubkey, not
 of the cert itself.

---
 roles/lists/templates/etc/postfix/relay_clientcerts.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'roles/lists/templates/etc/postfix')

diff --git a/roles/lists/templates/etc/postfix/relay_clientcerts.j2 b/roles/lists/templates/etc/postfix/relay_clientcerts.j2
index 42a83b5..eebaffb 100644
--- a/roles/lists/templates/etc/postfix/relay_clientcerts.j2
+++ b/roles/lists/templates/etc/postfix/relay_clientcerts.j2
@@ -2,5 +2,5 @@
 # /!\ WARNING: smtp_tls_fingerprint_digest MUST be sha256!
 
 {% for h in groups.MX | difference([inventory_hostname]) | sort %}
-{{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} {{ h }}
+{{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -c | sed "s/[^ =]*=\s*//"') }} {{ h }}
 {% endfor %}
-- 
cgit v1.2.3