TLS: Migrate from *encrypt* to *verify* for specific domain

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS: Migrate from *encrypt* to *verify* for specific domain

Paul Menzel
Dear Postfix folks,


Currently, our `/etc/postfix/tls_policy` looks like below to force
encryption when sending messages to other servers in our organization.

     mpg.de                            encrypt
     .mpg.de                           encrypt

We want to improve that. Unfortunately, DANE is not an option as the DFN
does not support that, and a lot of German research organizations and
institutes use that for receiving messages.

We do not have control over the other servers, but want to migrate to
*verify* [1].

Can you recommend a strategy how to do that? Is there a way to use
verify, and then fall back to encrypt, but log that, so that the other
postmasters can be informed? Or should we maintain a separate list in
some central place, which interested parties contribute to?


Kind regards,

Paul


[1]: http://www.postfix.org/TLS_README.html#client_tls_verify
Reply | Threaded
Open this post in threaded view
|

Re: TLS: Migrate from *encrypt* to *verify* for specific domain

Viktor Dukhovni


> On Sep 25, 2018, at 9:29 AM, Paul Menzel <[hidden email]> wrote:
>
> We want to improve that. Unfortunately, DANE is not an option as the DFN
> does not support that,

What do you mean by "DFN does not support that"?  If by "DFN" you mean
"DFN-Verein", their certificates pose no compatibility issues with DANE.
For example:

    uni-wuppertal.de. IN MX 20 mail1.uni-wuppertal.de. ; NoError AD=1
    uni-wuppertal.de. IN MX 20 mail2.uni-wuppertal.de. ; NoError AD=1
    mail1.uni-wuppertal.de. IN A 132.195.64.21 ; NoError AD=1
    mail1.uni-wuppertal.de. IN AAAA 2001:638:50a:64::21 ; NoError AD=1
    _25._tcp.mail1.uni-wuppertal.de. IN TLSA 3 1 1 e5ee04ac55b2dd966f1aa0011c90d8ab8284d2dce3480c48cde7bc12feca5422 ; NoError AD=1
      mail1.uni-wuppertal.de[132.195.64.21]: pass: TLSA match: depth = 0, name = mail1.uni-wuppertal.de
      mail1.uni-wuppertal.de[2001:638:50a:64::21]: pass: TLSA match: depth = 0, name = mail1.uni-wuppertal.de
        TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384
        name = mail1.uni-wuppertal.de
        depth = 0
          Issuer CommonName = Uni-Wuppertal CA
          Issuer Organization = Bergische Universitaet Wuppertal
          notBefore = 2016-11-02T09:23:43Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = mail1.uni-wuppertal.de
          Subject Organization = Bergische Universitaet Wuppertal
          pkey sha256 [matched] <- 3 1 1 e5ee04ac55b2dd966f1aa0011c90d8ab8284d2dce3480c48cde7bc12feca5422
        depth = 1
          Issuer CommonName = DFN-Verein PCA Global - G01
          Issuer Organization = DFN-Verein
          notBefore = 2014-05-27T14:53:55Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = Uni-Wuppertal CA
          Subject Organization = Bergische Universitaet Wuppertal
          pkey sha256 [nomatch] <- 2 1 1 894aabe20c4b0f55fe31261693303f034d9d3ca12bc3042eaed12f633e1ef357
        depth = 2
          Issuer CommonName = Deutsche Telekom Root CA 2
          Issuer Organization = Deutsche Telekom AG
          notBefore = 2014-07-22T12:08:26Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = DFN-Verein PCA Global - G01
          Subject Organization = DFN-Verein
          pkey sha256 [nomatch] <- 2 1 1 5732fe16d00abf36f83798a0985272bfcdc60fb0812bb632c3e47a5dd4517e68
        depth = 3
          Issuer CommonName = Deutsche Telekom Root CA 2
          Issuer Organization = Deutsche Telekom AG
          notBefore = 1999-07-09T12:11:00Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = Deutsche Telekom Root CA 2
          Subject Organization = Deutsche Telekom AG
          pkey sha256 [nomatch] <- 2 1 1 d1de2ae61c8df2fa623966163d4c73d460bfc428e57585be6bfeb9a56323d1b6
    mail2.uni-wuppertal.de. IN A 132.195.64.6 ; NoError AD=1
    mail2.uni-wuppertal.de. IN AAAA 2001:638:50a:64::6 ; NoError AD=1
    _25._tcp.mail2.uni-wuppertal.de. IN TLSA 3 1 1 9739ebc5261100a62c488f48162816435872abddfcd0b6735e104a4fa7a7841a ; NoError AD=1
      mail2.uni-wuppertal.de[132.195.64.6]: pass: TLSA match: depth = 0, name = mail2.uni-wuppertal.de
      mail2.uni-wuppertal.de[2001:638:50a:64::6]: pass: TLSA match: depth = 0, name = mail2.uni-wuppertal.de
        TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384
        name = mail2.uni-wuppertal.de
        depth = 0
          Issuer CommonName = Uni-Wuppertal CA
          Issuer Organization = Bergische Universitaet Wuppertal
          notBefore = 2016-11-02T09:23:45Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = mail2.uni-wuppertal.de
          Subject Organization = Bergische Universitaet Wuppertal
          pkey sha256 [matched] <- 3 1 1 9739ebc5261100a62c488f48162816435872abddfcd0b6735e104a4fa7a7841a
        depth = 1
          Issuer CommonName = DFN-Verein PCA Global - G01
          Issuer Organization = DFN-Verein
          notBefore = 2014-05-27T14:53:55Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = Uni-Wuppertal CA
          Subject Organization = Bergische Universitaet Wuppertal
          pkey sha256 [nomatch] <- 2 1 1 894aabe20c4b0f55fe31261693303f034d9d3ca12bc3042eaed12f633e1ef357
        depth = 2
          Issuer CommonName = Deutsche Telekom Root CA 2
          Issuer Organization = Deutsche Telekom AG
          notBefore = 2014-07-22T12:08:26Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = DFN-Verein PCA Global - G01
          Subject Organization = DFN-Verein
          pkey sha256 [nomatch] <- 2 1 1 5732fe16d00abf36f83798a0985272bfcdc60fb0812bb632c3e47a5dd4517e68
        depth = 3
          Issuer CommonName = Deutsche Telekom Root CA 2
          Issuer Organization = Deutsche Telekom AG
          notBefore = 1999-07-09T12:11:00Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = Deutsche Telekom Root CA 2
          Subject Organization = Deutsche Telekom AG
          pkey sha256 [nomatch] <- 2 1 1 d1de2ae61c8df2fa623966163d4c73d460bfc428e57585be6bfeb9a56323d1b6


> and a lot of German research organizations and institutes use that for receiving messages.

The DANE survey finds 21 domains with DFN-Verein certificates and working
DANE.  There are almost certainly some that don't have DANE TLSA records,
but they could if they wanted to.  As for "soft failure" with "verify"
(or "secure"), that's not presently supported in Postfix.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: TLS: Migrate from *encrypt* to *verify* for specific domain

Viktor Dukhovni


> On Sep 25, 2018, at 11:34 AM, Viktor Dukhovni <[hidden email]> wrote:
>
> The DANE survey finds 21 domains with DFN-Verein certificates and working
> DANE.  There are almost certainly some that don't have DANE TLSA records,
> but they could if they wanted to.

FWIW, the certificates found among DANE-enabled domains with DFN-Verein
issued certificates list the below organizations:

      Subject Organization = Bayerische Akademie der Wissenschaften
      Subject Organization = Bergische Universitaet Wuppertal
      Subject Organization = Hochschule Bremen
      Subject Organization = Hochschule Trier - Trier University of Applied Sciences
      Subject Organization = Hochschule fuer angewandte Wissenschaften Augsburg
      Subject Organization = Ludwig-Maximilians-Universitaet Muenchen
      Subject Organization = Max-Planck-Gesellschaft
      Subject Organization = Ruhr-Universitaet Bochum
      Subject Organization = Technische Hochschule Nuernberg Georg Simon Ohm
      Subject Organization = Technische Universitaet Dresden
      Subject Organization = Technische Universitaet Hamburg-Harburg
      Subject Organization = Technische Universitaet Kaiserslautern
      Subject Organization = Universitaet Erlangen-Nuernberg
      Subject Organization = Universitaet Passau
      Subject Organization = Universitaet Regensburg
      Subject Organization = Universitaet Rostock

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: TLS: Migrate from *encrypt* to *verify* for specific domain

Wietse Venema
In reply to this post by Viktor Dukhovni
Viktor Dukhovni:
> The DANE survey finds 21 domains with DFN-Verein certificates and working
> DANE.  There are almost certainly some that don't have DANE TLSA records,
> but they could if they wanted to.  As for "soft failure" with "verify"
> (or "secure"), that's not presently supported in Postfix.

What about using smtp_delivery_status_filter?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: TLS: Migrate from *encrypt* to *verify* for specific domain

Viktor Dukhovni


> On Sep 25, 2018, at 11:58 AM, Wietse Venema <[hidden email]> wrote:
>
>> As for "soft failure" with "verify"
>> (or "secure"), that's not presently supported in Postfix.
>
> What about using smtp_delivery_status_filter?

By "soft failure", I meant the OP's request to deliver anyway and
just log a warning.  We already tempfail on authentication errors.

What we don't have is "try-tls" setting, that is insecure, but
tamper-evident.

--
        Viktor.



--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: TLS: Migrate from *encrypt* to *verify* for specific domain

Paul Menzel
In reply to this post by Viktor Dukhovni
Dear Viktor,


Am 25.09.2018 um 17:42 schrieb Viktor Dukhovni:

>> On Sep 25, 2018, at 11:34 AM, Viktor Dukhovni <[hidden email]> wrote:
>>
>> The DANE survey finds 21 domains with DFN-Verein certificates and working
>> DANE.  There are almost certainly some that don't have DANE TLSA records,
>> but they could if they wanted to.
>
> FWIW, the certificates found among DANE-enabled domains with DFN-Verein
> issued certificates list the below organizations:
>
>        Subject Organization = Bayerische Akademie der Wissenschaften
>        Subject Organization = Bergische Universitaet Wuppertal
>        Subject Organization = Hochschule Bremen
>        Subject Organization = Hochschule Trier - Trier University of Applied Sciences
>        Subject Organization = Hochschule fuer angewandte Wissenschaften Augsburg
>        Subject Organization = Ludwig-Maximilians-Universitaet Muenchen
>        Subject Organization = Max-Planck-Gesellschaft

I assume, that’s mpifr-bonn.mpg.de. That’s the only institute I am aware
of using DANE.

>        Subject Organization = Ruhr-Universitaet Bochum
>        Subject Organization = Technische Hochschule Nuernberg Georg Simon Ohm
>        Subject Organization = Technische Universitaet Dresden
>        Subject Organization = Technische Universitaet Hamburg-Harburg
>        Subject Organization = Technische Universitaet Kaiserslautern
>        Subject Organization = Universitaet Erlangen-Nuernberg
>        Subject Organization = Universitaet Passau
>        Subject Organization = Universitaet Regensburg
>        Subject Organization = Universitaet Rostock

Thank you for the overview.


Kind regards,

Paul
Reply | Threaded
Open this post in threaded view
|

Re: TLS: Migrate from *encrypt* to *verify* for specific domain

Bernhard Schmidt
In reply to this post by Viktor Dukhovni
Am 25.09.18 um 17:34 schrieb Viktor Dukhovni:

>
>
>> On Sep 25, 2018, at 9:29 AM, Paul Menzel <[hidden email]> wrote:
>>
>> We want to improve that. Unfortunately, DANE is not an option as the DFN
>> does not support that,
>
> What do you mean by "DFN does not support that"?  If by "DFN" you mean
> "DFN-Verein", their certificates pose no compatibility issues with DANE.
> For example:

Large parts of the german universities now use the DFN MailSupport (=
inbound mailrelaying and filtering by DFN). The MX records are in
mx.srv.dfn.de, which is not signed (whole dfn.de is not signed). So you
can have your own zone DNSSEC enabled, but not the one with the MX.

I heard they are working on this. This is also a blocker of our project
to have DANE-secured SMTP transport for all bavarian universities.

Bernhard
Reply | Threaded
Open this post in threaded view
|

Re: TLS: Migrate from *encrypt* to *verify* for specific domain

Viktor Dukhovni


> On Sep 26, 2018, at 2:57 AM, Bernhard Schmidt <[hidden email]> wrote:
>
> Large parts of the german universities now use the DFN MailSupport (=
> inbound mailrelaying and filtering by DFN). The MX records are in
> mx.srv.dfn.de, which is not signed (whole dfn.de is not signed). So you
> can have your own zone DNSSEC enabled, but not the one with the MX.

Good to know.  Thanks.

> I heard they are working on this. This is also a blocker of our project
> to have DANE-secured SMTP transport for all bavarian universities.

I wish them luck (really sound planning and execution, luck has little to
do with it).  I also hope that the plan includes securing the downstream
hop from the DFN gateway to the client institution, unless DFN is also
providing IMAP, Webmail, ...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: TLS: Migrate from *encrypt* to *verify* for specific domain

Viktor Dukhovni
In reply to this post by Paul Menzel
> On Sep 26, 2018, at 2:29 AM, Paul Menzel <[hidden email]> wrote:
>
>> FWIW, the certificates found among DANE-enabled domains with DFN-Verein
>> issued certificates list the below organizations:
>>       Subject Organization = Bayerische Akademie der Wissenschaften
>>       Subject Organization = Bergische Universitaet Wuppertal
>>       Subject Organization = Hochschule Bremen
>>       Subject Organization = Hochschule Trier - Trier University of Applied Sciences
>>       Subject Organization = Hochschule fuer angewandte Wissenschaften Augsburg
>>       Subject Organization = Ludwig-Maximilians-Universitaet Muenchen
>>       Subject Organization = Max-Planck-Gesellschaft
>
> I assume, that’s mpifr-bonn.mpg.de. That’s the only institute I am aware of using DANE.

Yes, that's the domain for that particular organization.

>>       Subject Organization = Ruhr-Universitaet Bochum
>>       Subject Organization = Technische Hochschule Nuernberg Georg Simon Ohm
>>       Subject Organization = Technische Universitaet Dresden
>>       Subject Organization = Technische Universitaet Hamburg-Harburg
>>       Subject Organization = Technische Universitaet Kaiserslautern
>>       Subject Organization = Universitaet Erlangen-Nuernberg
>>       Subject Organization = Universitaet Passau
>>       Subject Organization = Universitaet Regensburg
>>       Subject Organization = Universitaet Rostock

Below my signature are the 106 DANE-enabled domains with MX hosts sporting
DFN-Verein certs that I've been able to find.  More domains than MX hosts,
as many handle multiple domains.

--
        Viktor.

tac-coburg.com
agdsn.de
analog-insydes.de
badw.de
badw-muenchen.de
bayerisches-nationalmuseum.de
bayernbeben.de
beckerr.de
beste-fachschaft.de
bib-bvb.de
cdtm.de
cens.de
chirurgische-kleintierklinik.de
cresst.de
erdbeben-in-bayern.de
erdbebendienst.de
euro-uni-international.de
eurouni-international.de
eurouniinternational.de
fau.de
fsei.de
galeriefest.de
gendermint.de
hff-muc.de
hfph.de
hfpm.de
hhg-kl.de
hios-projekt.de
hmtm.de
hochschulbibliotheken-bayern.de
hs-augsburg.de
hs-coburg.de
hswt.de
icsy.de
ita-kl.de
itwm.de
ksfh.de
ksh-m.de
ksh-muenchen.de
lmu.de
lrz.de
lrz-muenchen.de
max-bill.de
hff-muenchen.mhn.de
hfp.mhn.de
kktstb.mhn.de
kms.mhn.de
paulinum.mhn.de
stif2.mhn.de
stkm.mhn.de
studienkolleg.mhn.de
stusta.mhn.de
mpifr-bonn.mpg.de
antike-am-koenigsplatz.mwn.de
bnm.mwn.de
bsm.mwn.de
graphische-sammlung.mwn.de
hfph.mwn.de
xtest.mwn.de
mytum.de
naturalhistorybavaria.de
naturwissenschaftlichesammlungenbayerns.de
nithh.de
optimal-portfolios.de
optimalportfolios.de
rrze.de
rub.de
ruhr-uni-bochum.de
sampe.de
snsb.de
stusta.de
stustanet.de
tac-coburg.de
th-nuernberg.de
tu-hamburg.de
tu-harburg.de
tu-kaiserslautern.de
tu-kl.de
tu-muenchen.de
tuhh.de
tukl.de
tum.de
uni-erlangen.de
uni-kaiserslautern.de
uni-kl.de
uni-muenchen.de
physik.uni-muenchen.de
uni-passau.de
uni-regensburg.de
uni-rostock.de
uni-wuppertal.de
universitaet-kaiserslautern.de
universitaet-kl.de
universitaetkaiserslautern.de
vcrp.de
vetsurgery.de
wimamuc.de
xn--universitt-passau-yqb.de
bauhow5.eu
enviroinfo2018.eu
fachhochschule-bremen.eu
fh-bremen.eu
hochschule-bremen.eu
hs-bremen.eu
stusta.net
hsb.university
Reply | Threaded
Open this post in threaded view
|

Re: TLS: Migrate from *encrypt* to *verify* for specific domain

Paul Menzel
In reply to this post by Viktor Dukhovni
Dear Viktor, dear Bernhard,


On 09/26/18 09:37, Viktor Dukhovni wrote:

>> On Sep 26, 2018, at 2:57 AM, Bernhard Schmidt wrote:
>>
>> Large parts of the german universities now use the DFN MailSupport
>> (= inbound mailrelaying and filtering by DFN). The MX records are
>> in mx.srv.dfn.de, which is not signed (whole dfn.de is not signed).
>> So you can have your own zone DNSSEC enabled, but not the one with
>> the MX.
>
> Good to know.  Thanks.

Yes, that is what I meant. Bernhard, thank you for answering and
clarifying that.

>> I heard they are working on this. This is also a blocker of our
>> project to have DANE-secured SMTP transport for all bavarian
>> universities.
>
> I wish them luck (really sound planning and execution, luck has
> little to do with it).

Unfortunately, to my knowledge, it’s not high on their to-do list.
Only a few of their clients have requested this feature explicitly.
I’ll work on raising awareness. Bernhard, all the Bavarian
institutions should open a support ticket at the DFN mail support.
It’s my understanding, that this would influence the priority.

> I also hope that the plan includes securing the downstream hop from
> the DFN gateway to the client institution, unless DFN is also
> providing IMAP, Webmail, ...

I do not know, how the downstream hop is secured currently. Either
hard coding the IP address of the MTA, using certificates or just
DANE would be feasible. We should do that for our mail system.
Thank you for the reminder.

For the record, the DFN network has it’s own network infrastructure
with “cables” and network gear operated over Germany, so it’s not
easy for somebody “from the Internet” to eaves drop [1][2]. Common
methods for securing the transfer should be used nevertheless.


Kind regards,

Paul


[1]: https://www.dfn.de/xwin/faserplattform/
[2]: https://www.dfn.de/fileadmin/1Dienstleistungen/XWIN/Topologie.pdf


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS: Migrate from *encrypt* to *verify* for specific domain

Paul Menzel
Dear Viktor,


On 09/26/18 16:46, Paul Menzel wrote:

> On 09/26/18 09:37, Viktor Dukhovni wrote:
>
>>> On Sep 26, 2018, at 2:57 AM, Bernhard Schmidt wrote:
>>>
>>> Large parts of the german universities now use the DFN MailSupport
>>> (= inbound mailrelaying and filtering by DFN). The MX records are
>>> in mx.srv.dfn.de, which is not signed (whole dfn.de is not signed).
>>> So you can have your own zone DNSSEC enabled, but not the one with
>>> the MX.
>>
>> Good to know.  Thanks.
>
> Yes, that is what I meant. Bernhard, thank you for answering and
> clarifying that.
>
>>> I heard they are working on this. This is also a blocker of our
>>> project to have DANE-secured SMTP transport for all bavarian
>>> universities.
>>
>> I wish them luck (really sound planning and execution, luck has
>> little to do with it).
>
> Unfortunately, to my knowledge, it’s not high on their to-do list.
> Only a few of their clients have requested this feature explicitly.
> I’ll work on raising awareness. Bernhard, all the Bavarian
> institutions should open a support ticket at the DFN mail support.
> It’s my understanding, that this would influence the priority.
>
>> I also hope that the plan includes securing the downstream hop from
>> the DFN gateway to the client institution, unless DFN is also
>> providing IMAP, Webmail, ...
>
> I do not know, how the downstream hop is secured currently. Either
> hard coding the IP address of the MTA, using certificates or just
> DANE would be feasible. We should do that for our mail system.
> Thank you for the reminder.
My colleagues already set up TLSA records for mx.molgen.mpg.de [3].
So I’ll ask the mail support to enable dane-only for that connection.

> For the record, the DFN network has it’s own network infrastructure
> with “cables” and network gear operated over Germany, so it’s not
> easy for somebody “from the Internet” to eaves drop [1][2]. Common
> methods for securing the transfer should be used nevertheless.


Kind regards,

Paul


> [1]: https://www.dfn.de/xwin/faserplattform/
> [2]: https://www.dfn.de/fileadmin/1Dienstleistungen/XWIN/Topologie.pdf
[3]: $ /usr/sbin/posttls-finger -t30 -T180 -c -L verbose,summary mx.molgen.mpg.de
posttls-finger: initializing the client-side TLS engine
posttls-finger: using DANE RR: _25._tcp.mx.molgen.mpg.de IN TLSA 3 1 2 02:E4:F7:97:85:C7:08:1D:84:63:1A:23:A4:EC:B1:B6:26:24:1F:DC:68:D0:FA:80:B1:10:EF:5E:4C:2C:AF:5E:3F:B9:59:9C:6B:EA:D2:50:4E:4A:BB:6E:2A:73:94:14:11:46:65:F1:69:5C:ED:D7:80:E6:40:5F:19:7E:33:D6
posttls-finger: setting up TLS connection to mx.molgen.mpg.de[141.14.17.8]:25
posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: depth=3 verify=0 subject=/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: depth=3 verify=1 subject=/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: depth=2 verify=1 subject=/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: depth=1 verify=1 subject=/C=DE/O=Max-Planck-Gesellschaft/CN=MPG CA/emailAddress=[hidden email]
posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: depth=0 verify=1 subject=/C=DE/ST=Berlin/L=Berlin/O=Max-Planck-Gesellschaft/OU=Max-Planck-Institut fuer molekulare Genetik/CN=mx.molgen.mpg.de
posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: depth=0 matched end entity public-key sha512 digest=02:E4:F7:97:85:C7:08:1D:84:63:1A:23:A4:EC:B1:B6:26:24:1F:DC:68:D0:FA:80:B1:10:EF:5E:4C:2C:AF:5E:3F:B9:59:9C:6B:EA:D2:50:4E:4A:BB:6E:2A:73:94:14:11:46:65:F1:69:5C:ED:D7:80:E6:40:5F:19:7E:33:D6
posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: subject_CN=mx.molgen.mpg.de, issuer_CN=MPG CA, fingerprint=76:A9:04:3A:1E:27:1B:3A:28:9A:C1:A8:9A:64:C9:D0:FB:14:7F:D9, pkey_fingerprint=6A:2A:F0:14:CD:75:B2:D2:58:5A:50:83:F2:DF:A4:8A:4A:E9:66:8E
posttls-finger: Verified TLS connection established to mx.molgen.mpg.de[141.14.17.8]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)


smime.p7s (6K) Download Attachment