Victor Duchovni a écrit : > --- 8873,8892 ---- > <p> The best way to use the default settings is to comment out the above > parameters in main.cf if present. </p> > > ! <p> In order for remote SMTP servers to verify the Postfix SMTP client > ! certificate, the issuing CA certificate must be made available to the > ! server. You should include the required certificates in the client > ! certificate file, the client certificate first, then the issuing > ! CA(s). </p> > ! > ! <p> To enable remote SMTP servers to verify the Postfix SMTP client > ! certificate, the issuing CA certificates must be made available to the > ! server. You should include the required certificates in the client > ! certificate file, the client certificate first, then the issuing > ! CA(s) (bottom-up order). </p> > Hmm, isn't it twice the same paragrah (or two versions of it)?
> --- 8927,8940 ---- > > %PARAM smtp_tls_CAfile > > ! <p> A file containing CA certificates of root CAs trusted to sign > ! either remote SMTP server certificates or intermediate CA certificates. > ! These are loaded into memory before the smtp(8) client enters the chroot > ! jail. If the number of trusted roots is large, consider using > smtp_tls_CApath > ! instead, but note that the latter directory be present in the chroot jail > ! if the smtp(8) client is chrooted. The file may also be used to augment > ! the client certificate trust chain, but is best to included all the > ! required certificates directly in the client certificate file. </p> > > <p> Example: </p> > (Small typo : "it is best to include".) May I suggest to update the description of smtpd_tls_CA_file accordingly, so that the reader is not confused by unsignificant differences and can concentrate on the main point (or in other words, to better show the symmetry)? Eg: ------- %PARAM smtp_tls_CAfile ! <p> A file containing CA certificates of root CAs trusted to sign ! either remote SMTP client certificates or intermediate CA certificates. ! These are loaded into memory before the smtpd(8) client enters the chroot ! jail. If the number of trusted roots is large, consider using smtpd_tls_CApath ! instead, but note that the latter directory be present in the chroot jail ! if the smtpd(8) server is chrooted. The file may also be used to augment ! the server certificate trust chain, but is best to include all the ! required certificates directly in the client certificate file. </p> <p> Example: </p> ------- By the way, I'm not sure still whether I understand correctly smptd_CA_path. Would the following description be adequate? ------ %PARAM smtpd_tls_CApath ! <p> Directory with PEM format certificate authority certificates that the ! Postfix SMTP client uses to verify a remote SMTP server certificate. ! Don’t forget to create the necessary "hash" links with, for example, ! "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". </p> ! ! <p> To use this option in chroot mode, this directory (or a copy) must be ! inside the chroot jail. </p> ! ! <p> Please note that the CA certificates in this directory are not offered to ! the client. In order to augment the server certificate trust chain, you can ! use the smtpd_tls_CApath, but is best to include all the required certificates ! directly in the client certificate file. </p> <p> Example: </p> ------- (The "in this case" in the current version looks very confusing to me: I always wonder whether it is opposing the chrooted case to the not-chrooted, or smtpd_tls_CApath to smptd_tls_CAfile. Hope I got it right. By the way, if the latter paragraph is correct, it may be worth appending its symmetric (reversing client/server) to the description of smtp_tls_CApath, for the sake of.. well, symmetry.) Thanks, Manuel.
