Hi Viktor, thanks for your answer but that does not answer by question. Is the /etc/ssl/certs directory loaded also by default ? I did the test: smtp_tls_CApath = /foo/bar I added/hashed some certs in /foo/bar
When postfix connects to a smtp server (tls verify), certificates issued by CAs from /etc/ssl/certs AND from /foo/bar are trusted. Do you confirm this ? Thanks, Jan On Tue, Jun 8, 2010 at 5:56 PM, Victor Duchovni <victor.ducho...@morganstanley.com> wrote: > On Tue, Jun 08, 2010 at 09:31:46AM +0200, Jan C. wrote: > >> I have my postfix set up as a TLS client to other smtp servers. I >> point smtp_tls_CApath to a directory where I store my own imported >> trusted CAs. My question is whether or not Postfix will also load the >> Root CAs stored in /etc/ssl/certs. If not, does it mean that I have to >> set smtp_tls_CApath to /etc/ssl/certs and store my own root CAs there? > > http://www.postfix.org/TLS_README.html#client_cert_key > > To verify a remote SMTP server certificate, the Postfix SMTP > client needs to trust the certificates of the issuing certification > authorities. These certificates in "pem" format can be stored in > a single $smtp_tls_CAfile or in multiple files, one CA per file > in the $smtp_tls_CApath directory. If you use a directory, don't > forget to create the necessary "hash" links with: > > # $OPENSSL_HOME/bin/c_rehash /path/to/directory > > The $smtp_tls_CAfile contains the CA certificates of one or more > trusted CAs. The file is opened (with root privileges) before Postfix > enters the optional chroot jail and so need not be accessible from > inside the chroot jail. > > Additional trusted CAs can be specified via the $smtp_tls_CApath > directory, in which case the certificates are read (with $mail_owner > privileges) from the files in the directory when the information is > needed. Thus, the $smtp_tls_CApath directory needs to be accessible > inside the optional chroot jail. > > The choice between $smtp_tls_CAfile and $smtp_tls_CApath is a > space/time tradeoff. If there are many trusted CAs, the cost of > preloading them all into memory may not pay off in reduced access > time when the certificate is needed. > > Example: > > /etc/postfix/main.cf: > smtp_tls_CAfile = /etc/postfix/CAcert.pem > smtp_tls_CApath = /etc/postfix/certs > > See also the recent posts about migrating from 0.9.8 CApath to 1.0.0 > CApath where the hash links made by c_rehash are not 0.9.8 compatible > (and vice versa). > > -- > Viktor. >
