On Sun, 19 Feb 2012 18:18:12 +0100, Wietse Venema <wie...@porcupine.org>
wrote:
Artemy Tregubenko:
On Sun, 19 Feb 2012 17:10:50 +0100, Wietse Venema <wie...@porcupine.org>
wrote:
> As per the documentation, Postfix APPENDS to certificates in *CApath
> or *CAfile. If you don't specify certificates in *CApath and *CAfile,
> then Postfix won't append to them.
Could you add to documentation this sentence "If you don't specify
certificates in *CApath and *CAfile, then Postfix won't append to
them."?
It's likely there're other people who can misinterpret "APPENDS" the
way I
did.
The complete sentence is:
tls_append_default_CA (default: no)
Append the system-supplied default certificate authority
certificates to the ones specified with *_tls_CApath or
*_tls_CAfile.
I.e. it appends when you specify stuff.
Instead of enumerating things Postfix that does not do, it would
be more helpful to say how to achieve a concrete result:
To use ONLY system-supplied default certificate authority
certificates, specify those with *_tls_CApath or
*_tls_CAfile.
I don't think this text belongs under tls_append_default_CA, though.
It is better placed with the definition of the *_tls_CApath and
*_tls_CAfile features themselves.
I agree, this is a better explanation and a better place for it. Would you
put it there, please?
By the way, the default behavior of *_tls_CApath and *_tls_CAfile
is this:
To use NO certificate authority certificates, specify
no parameter value.
This behavior has been the default since Postfix 2.2, and I will
not break that, regardless of how much more useful other defaults
might be.
I understand the importance of backwards compatibility and do not suggest
to break it. I was hoping that either I have missed some suitable option
in documentation or you might think of a nice way to make it more
convenient. But even putting those words in documentation would help.
--
Regards, Artemy
