Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jan C. (chaljangmail.com)
Date: Wed Jun 09 2010 - 03:22:16 CDT
thanks for your answer but that does not answer by question. Is the
/etc/ssl/certs directory loaded also by default ? I did the test:
smtp_tls_CApath = /foo/bar
I added/hashed some certs in /foo/bar
When postfix connects to a smtp server (tls verify), certificates
issued by CAs from /etc/ssl/certs AND from /foo/bar are trusted. Do
you confirm this ?
On Tue, Jun 8, 2010 at 5:56 PM, Victor Duchovni
> On Tue, Jun 08, 2010 at 09:31:46AM +0200, Jan C. wrote:
>> I have my postfix set up as a TLS client to other smtp servers. I
>> point smtp_tls_CApath to a directory where I store my own imported
>> trusted CAs. My question is whether or not Postfix will also load the
>> Root CAs stored in /etc/ssl/certs. If not, does it mean that I have to
>> set smtp_tls_CApath to /etc/ssl/certs and store my own root CAs there?
> To verify a remote SMTP server certificate, the Postfix SMTP
> client needs to trust the certificates of the issuing certification
> authorities. These certificates in "pem" format can be stored in
> a single $smtp_tls_CAfile or in multiple files, one CA per file
> in the $smtp_tls_CApath directory. If you use a directory, don't
> forget to create the necessary "hash" links with:
> # $OPENSSL_HOME/bin/c_rehash /path/to/directory
> The $smtp_tls_CAfile contains the CA certificates of one or more
> trusted CAs. The file is opened (with root privileges) before Postfix
> enters the optional chroot jail and so need not be accessible from
> inside the chroot jail.
> Additional trusted CAs can be specified via the $smtp_tls_CApath
> directory, in which case the certificates are read (with $mail_owner
> privileges) from the files in the directory when the information is
> needed. Thus, the $smtp_tls_CApath directory needs to be accessible
> inside the optional chroot jail.
> The choice between $smtp_tls_CAfile and $smtp_tls_CApath is a
> space/time tradeoff. If there are many trusted CAs, the cost of
> preloading them all into memory may not pay off in reduced access
> time when the certificate is needed.
> smtp_tls_CAfile = /etc/postfix/CAcert.pem
> smtp_tls_CApath = /etc/postfix/certs
> See also the recent posts about migrating from 0.9.8 CApath to 1.0.0
> CApath where the hash links made by c_rehash are not 0.9.8 compatible
> (and vice versa).