I'm attempting to use Postfix (version 2.6.6 on RHEL6) to connect to and send mail via a mail relay on our internal network. I want to connect with STARTTLS on port 25 (port 465 is not available on this server). The mail relay uses a self-signed SSL/TLS certificate so I needed to skip certificate verification using a certificate authority. I discovered the smtp_tls_security_level = fingerprint which does not check the trust chain, expiration date, etc. Instead it verifies using the certificate fingerprint.
I figured this was the perfect solution, but when I attempt to send an email, I still get errors in /var/log/maillog that say postfix/smtp[15182]: certificate verification failed for xxxxxxxxxxxx[zz.zz.zz.zz]:25: untrusted issuer.
I thought the whole point of the fingerprint security level was to skip certificate verification. Am I misunderstanding the point of this option? Is there something else I need to configure?
Here are the relevant lines from main.cf:
relayhost = [xxx.xxx.xxx]smtp_sasl_auth_enable = yessmtp_sasl_password_maps = hash:/etc/postfix/sasl-passwordssmtp_sasl_security_options=smtp_generic_maps = hash:/etc/postfix/genericsmtp_use_tls = yessmtp_tls_security_level = fingerprintsmtp_tls_fingerprint_digest = sha1# fingerprint changed for ServerFault. just an example.smtp_tls_fingerprint_cert_match = c1:d3:54:12:00:r0:ef:fa:42:48:10:ff:ac:1e:75:13:dd:ad:af:3esmtp_tls_note_starttls_offer = yesEdit: added bold
