On Wed, Feb 25, 2009 at 02:14:40PM +0100, Manuel P?gouri?-Gonnard wrote:
> I'm afraid I don't understand what the directive smtp_tls_CAfile does
> exactly. According to postconf(5),
>
> > smtp_tls_CAfile (default: empty)
> > The file with the certificate of the certification authority (CA) that
> > issued the Postfix SMTP client certificate. This is needed only when
> > the CA certificate is not already present in the client certificate
> > file.
>
> So this should not be used to verify a server's certificate. In
> practice, if the file pointed to by smtp_tls_CAfile is a concatenation
> of CA's certificates, then they are all used to verify the server's
> certificate.
Yes, smtp_tls_CAfile is used to verify server certificates, you can have
all the trusted CAs in one file, or as separate (hashed via c_rehash)
files in the directory named by smtp_tls_CApath.
If your client certificate trust chain is incomplete, OpenSSL will use
certificates from CAfile to construct the complete trust chain to send
to the server.
Generally, SMTP servers don't request client certificates and clients
don't need them (can't use them).
If you do configure client certificates (don't if unless you know you
need them), it is best to place the full trust chain in the client
certificate file, leaf certificate first, then any intermediate CA
that signed the leaf cert, and so on up to the root.
> OTOH, server certificate verification should be done against
> certificates in the directory indicated by smtp_tls_CApath. For some
> reason, I didn't manage to get it working (and yes, I ran c_rehash on
> this directory).
Perhaps your smtp(8) client is chrooted.
> My server are finally working as I want wrt TLS, but I feel very
> uncomfortable with this situation: the directive which should do the job
> accoring to the manual doesn't work, and the directive which souldn't do
> it, does it.
>
> Did I misunderstand something in the manual? If not, may I suggest
> updating either the manual or the code so that they match?
Perhaps the documentation could be improved, the primary purpose of CA
is to hold trusted root CA certs, you can choose between a single file
with multiple certs or a directory with separate certs. The directory
avoids the cost of loading all the root CAs into memory. If you have a
lot of root CAs using CApath is more efficient.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
