On Fri, Aug 24, 2012 at 11:33:16AM +1000, li...@sbt.net.au wrote:
> I'm just setting up a new Postix server with TLS on Centos 6, I've
> generated self certified certificate, that all seems OK as follows:
>
> smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
> smtpd_tls_key_file = /etc/pki/tls/certs/server.key
You're done.
> but I'm 'missing' the CAfile part
You don't need it. The SMTP server only needs a CAfile or CApath
if it solicits and verifies client certificates.
If your server certificate is not self-signed, include all intermediate
certificates in the server certificate chain together with the
server's certificate in the "server.crt" file. (It is best practice
to reserve the ".crt" suffix for DER encoded files that contain
exactly one certificate, and use a ".pem" suffix for files containing
one or more certificates and perhaps a corresponding key).
http://www.postfix.org/TLS_README.html#server_cert_key
--
Viktor.
