On Sat, Oct 25, 2014 at 05:51:36PM +0200, Michael Str?der wrote: > > And it seems to describe what I was looking for: > > "With Postfix >= 2.11 the "smtp_tls_trust_anchor_file" parameter, or more > typically the corresponding per-destination "tafile" attribute, optionally > modifies trust chain verification. If the parameter is not empty the root CAs > in CAfile and CApath are no longer trusted. Rather, the Postfix SMTP client > will only trust certificate-chains signed by one of the trust-anchors > contained in the chosen files."
And under http://www.postfix.org/postconf.5.html#smtp_tls_trust_anchor_file Zero or more PEM-format files with trust-anchor certificates and/or public keys. If the parameter is not empty the root CAs in CAfile and CApath are no longer trusted. Rather, the Postfix SMTP client will only trust certificate-chains signed by one of the trust-anchors contained in the chosen files. The specified trust-anchor certificates and public keys are not subject to expiration, and need not be (self-signed) root CAs. They may, if desired, be intermediate certificates. Therefore, these certificates also may be found "in the middle" of the trust chain presented by the remote SMTP server, and any untrusted issuing parent certificates will be ignored. Specify a list of pathnames separated by comma or whitespace. And under http://www.postfix.org/TLS_README.html#client_tls_policy verify ... With Postfix >= 2.11 the "tafile" attribute optionally modifies trust chain verification in the same manner as the "smtp_tls_trust_anchor_file" parameter. The "tafile" attribute may be specified multiple times to load multiple trust-anchor files. Note, when you "pin" the issuer if a domain's certificate chain you have the luxury of more time between updates, but eventually the site will obtain a certificate from some other CA or a new issuer key from the same CA. So be prepared to update the TA data from time to time. If you choose to store raw public keys in the TA file make sure to anotate the file, so that years later some poor joe (possibly you) will be able to determine which CA's keys are trusted and for how long. -- Viktor.
