On Wed, Feb 25, 2009 at 05:19:48PM +0100, Manuel P?gouri?-Gonnard wrote:
> >> OTOH, server certificate verification should be done against
> >> certificates in the directory indicated by smtp_tls_CApath. For some
> >> reason, I didn't manage to get it working (and yes, I ran c_rehash on
> >> this directory).
> >
> > Perhaps your smtp(8) client is chrooted.
> >
> I don't think it is. I would otherwise not be able to find the file
> indicated by smtp_tls_CAfile.
No, this file is loaded into memory before smtp(8) enters the chroot
jail, while smtp_tls_CApath is accessed post-jail.
> > Perhaps the documentation could be improved, the primary purpose of CA
> > is to hold trusted root CA certs, you can choose between a single file
> > with multiple certs or a directory with separate certs. The directory
> > avoids the cost of loading all the root CAs into memory. If you have a
> > lot of root CAs using CApath is more efficient.
>
> In my case the files with all trusted CAs is 224K. Is it a problem
> concerning efficiency?
Well, that's modestly large, but not prohibitive. You can always raise
max_use and/or max_idle to reduce the average cost of parsing the file
per message delivered, but this will cost you some memory, with 100
delivery agents that's 22.4 MB of RAA system-wide, with 1000 delivery
agents that's 224MB of RAM.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
