On Sat, Mar 23, 2024 at 08:04:18AM -0400, Wietse Venema via Postfix-users wrote:
> Please note that Postfix does not automatically use the "system" > root CA store that openssl s_client and curl may use. That could > result in verification differences between Postfix and other tools. > > https://www.postfix.org/postconf.5.html#tls_append_default_CA > > tls_append_default_CA (default: no) > Append the system-supplied default Certification Authority > certificates to the ones specified with *_tls_CApath or > *_tls_CAfile. The default is "no"; this prevents Postfix from > trusting third-party certificates and giving them relay permission > with permit_tls_all_clientcerts. While true, that should rarely be used or necessary. An explicit CAfile and/or CApath is almost always sufficient. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
