From b72f452d6fef4115d0f60615201359987ec40ae7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 3 Dec 2015 22:29:06 +0100 Subject: Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the cert itself. --- roles/lists/templates/etc/postfix/relay_clientcerts.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'roles/lists/templates/etc') diff --git a/roles/lists/templates/etc/postfix/relay_clientcerts.j2 b/roles/lists/templates/etc/postfix/relay_clientcerts.j2 index 42a83b5..eebaffb 100644 --- a/roles/lists/templates/etc/postfix/relay_clientcerts.j2 +++ b/roles/lists/templates/etc/postfix/relay_clientcerts.j2 @@ -2,5 +2,5 @@ # /!\ WARNING: smtp_tls_fingerprint_digest MUST be sha256! {% for h in groups.MX | difference([inventory_hostname]) | sort %} -{{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} {{ h }} +{{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -c | sed "s/[^ =]*=\s*//"') }} {{ h }} {% endfor %} -- cgit v1.2.3