Artemy Tregubenko:
> On Sun, 19 Feb 2012 17:10:50 +0100, Wietse Venema <wie...@porcupine.org>
> wrote:
>
> > As per the documentation, Postfix APPENDS to certificates in *CApath
> > or *CAfile. If you don't specify certificates in *CApath and *CAfile,
> > then Postfix won't append to them.
>
> Could you add to documentation this sentence "If you don't specify
> certificates in *CApath and *CAfile, then Postfix won't append to them."?
> It's likely there're other people who can misinterpret "APPENDS" the way I
> did.
The complete sentence is:
tls_append_default_CA (default: no)
Append the system-supplied default certificate authority
certificates to the ones specified with *_tls_CApath or
*_tls_CAfile.
I.e. it appends when you specify stuff.
Instead of enumerating things Postfix that does not do, it would
be more helpful to say how to achieve a concrete result:
To use ONLY system-supplied default certificate authority
certificates, specify those with *_tls_CApath or
*_tls_CAfile.
I don't think this text belongs under tls_append_default_CA, though.
It is better placed with the definition of the *_tls_CApath and
*_tls_CAfile features themselves.
By the way, the default behavior of *_tls_CApath and *_tls_CAfile
is this:
To use NO certificate authority certificates, specify
no parameter value.
This behavior has been the default since Postfix 2.2, and I will
not break that, regardless of how much more useful other defaults
might be.
Wietse
