OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: TLS smtp_tls_CApath and /etc/ssl/certs

From: Jan C. (chaljangmail.com)
Date: Wed Jun 09 2010 - 03:22:16 CDT

Hi Viktor,
thanks for your answer but that does not answer by question. Is the
/etc/ssl/certs directory loaded also by default ? I did the test:
smtp_tls_CApath = /foo/bar
I added/hashed some certs in /foo/bar

When postfix connects to a smtp server (tls verify), certificates
issued by CAs from /etc/ssl/certs AND from /foo/bar are trusted. Do
you confirm this ?

Thanks,
Jan

On Tue, Jun 8, 2010 at 5:56 PM, Victor Duchovni
<Victor.Duchovnimorganstanley.com> wrote:
> On Tue, Jun 08, 2010 at 09:31:46AM +0200, Jan C. wrote:
>
>> I have my postfix set up as a TLS client to other smtp servers. I
>> point smtp_tls_CApath to a directory where I store my own imported
>> trusted CAs. My question is whether or not Postfix will also load the
>> Root CAs stored in /etc/ssl/certs. If not, does it mean that I have to
>> set smtp_tls_CApath to /etc/ssl/certs and store my own root CAs there?
>
> http://www.postfix.org/TLS_README.html#client_cert_key
>
>    To verify a remote SMTP server certificate, the Postfix SMTP
>    client needs to trust the certificates of the issuing certification
>    authorities. These certificates in "pem" format can be stored in
>    a single $smtp_tls_CAfile  or in multiple files, one CA per file
>    in the $smtp_tls_CApath  directory. If you use a directory, don't
>    forget to create the necessary "hash" links with:
>
>        # $OPENSSL_HOME/bin/c_rehash /path/to/directory
>
>    The $smtp_tls_CAfile contains the CA certificates of one or more
>    trusted CAs. The file is opened (with root privileges) before Postfix
>    enters the optional chroot jail and so need not be accessible from
>    inside the chroot jail.
>
>    Additional trusted CAs can be specified via the $smtp_tls_CApath
>    directory, in which case the certificates are read (with $mail_owner
>    privileges) from the files in the directory when the information is
>    needed. Thus, the $smtp_tls_CApath  directory needs to be accessible
>    inside the optional chroot jail.
>
>    The choice between $smtp_tls_CAfile and $smtp_tls_CApath is a
>    space/time tradeoff. If there are many trusted CAs, the cost of
>    preloading them all into memory may not pay off in reduced access
>    time when the certificate is needed.
>
>    Example:
>
>        /etc/postfix/main.cf:
>            smtp_tls_CAfile = /etc/postfix/CAcert.pem
>            smtp_tls_CApath = /etc/postfix/certs
>
> See also the recent posts about migrating from 0.9.8 CApath to 1.0.0
> CApath where the hash links made by c_rehash are not 0.9.8 compatible
> (and vice versa).
>
> --
>        Viktor.
>