On 4/12/2011 2:17 AM, email builder wrote:
Am I correct to infer that both smtp(d)_tls_CAfile settings only serve
a purpose when you want to verify client/server certificates?
If that's the case, why does the example at the bottom of TLS_README
use both the CAfile settings with only opportunistic encryption?
This reduces log noise, and improves the audit trail.
Hmm, OK, not to imply these things are not important, but are these the
only reasons you'd have a CAfile or CApath?
With opportunistic TLS you don't gain any extra security by
verifying the remote cert. This is what makes self-signed
certificates adequate for opportunistic TLS.
Our system seems to work without any CAfile/CApath settings under
opportunistic
encryption both incoming and outgoing. Is there a performance or security
difference between using them or not?
You should probably throw in a few trusted root CAs.
1) Is there a place to get a file with the usual suspects already in it?
Most OS's have a package of common root certs available. For
example, FreeBSD provides the security/ca_root_nss port.
2) Does postfix add new CAs to it when it sees a new one from a client?
No. The CA file/path is a trust list. It would be
inappropriate for a program to add trust automatically.
3) Does it make much difference between CApath or CAfile? I suppose
using CApath only makes sense if the answer to question 2 is "yes"? (File
probably sufficient if it is static and not that big)
Performance may be better with CApath for a large number of
certificates, but mostly this is about how the certs are
bundled for you.
-- Noel Jones
