On Fri, Feb 21, 2014 at 12:04:47PM +0100, li...@rhsoft.net wrote:
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
That's a waste of CPU. Leaving it empty is better. No false sense
of security. If you're making "secure-channel" connection to
selected destinations, then you need appropriate CAs in smtp_tls_CAfile.
With Postfix 2.11, you can specify trust-anchors per-destination
in the TLS policy table:
http://www.postfix.org/postconf.5.html#smtp_tls_trust_anchor_file
(note the chroot comment and required permissions).
--
Viktor.
